OAuth2 Scopes Schema

Within IAP Integration instances, support has been added for OAUTH2 and OIDC authorization requests, including OAUTH access tokens that contain the scopes parameter. The scopes parameter is used by the client (app or website) to signal to the authentication provider which permissions are required for the client’s session.

Sample Scopes Schema

An example integration schema with its scopes in the authorizationCode is presented below. The example uses the BoxDev OAuth2 provider,

The scopes object is an enumerated list of scope_name: description of all scopes the OAuth provider offers, from which the user may choose a subset for the access token. The user can declare this subset in the configuration of the integration instance.

{
  ...
  "components": {
    "securitySchemes": {
      "OAuth2Security": {
        "type": "oauth2",
        "flows": {
          "authorizationCode": {
            "authorizationUrl": "https://account.box.com/api/oauth2/authorize",
            "scopes": {
              "manage_app_users": "Provision and manage app users",
              "manage_data_retention": "Manage data retention polices",
              "manage_enterprise_properties": "Manage enterprise properties",
              "manage_groups": "Manage an enterprise's groups",
              "manage_legal_hold": "Manage Legal Holds",
              "manage_managed_users": "Provision and manage managed users",
              "manage_webhook": "Create webhooks programmatically through the API",
              "root_readonly": "Read all files and folders stored in Box",
              "root_readwrite": "Read and write all files and folders stored in Box"
            },
            "tokenUrl": "https://api.box.com/oauth2/token"
          }
        }
      }
    }
  }
}

Sample Scope Configuration

An example integration instance is shown in Figure 1. From the example configuration, scope is set to read write for Microsoft Online.

Figure 1: Scope Configuration

Related Reading

• OAuth Scopes