Good afternoon,
For "question 1" how to customize Scope issuing:
The OTK Scope issuing assertion is read-only. The existing logic to determine what scope to grant is below (note that scope string is case sensitive):
- If no scope is registered or only oob is registered, granted scope will always be oob
- If no scope is requested, granted scope will always be oob
- If scope requested matches exactly scope registered, the requested scope will be granted
- If scope(s) requested is/are subset of scope registered, the requested scope(s) will be granted
- If scope(s) registered is/are subset of scope requested, in other word, if some of the scope(s) requested is/are not in the scope registered. Only the requested scope(s) that are within the registered scope will be granted, the rest will be removed.
- If none of the scope(s) requested are in the scope registered, returns failure
The scope issuing logic is designed in consideration that Authorization server won't expose what has been registered for the client to prevent spoofing, we highly recommend you stay with the OOTB behavior. however some level of customization can be added to manipulate the input or output of the assertion in the service endpoint the to alter the result.
For Authorization_code flow, scope issuing is invoked in Authorization endpoint.
For the other grant types, it is invoked in Token endpoint
Note: Changes made to service endpoint will be overwritten after upgrade, manual merge required to reapply the change.
Here are some examples:
E.g. Use custom grant type to manipulate the scope.granted at token endpoint. the Custom grant type can define a new grant type or can replace an existing grant type depending on your needs.
For example, you want to change the scope behavior for the password grant type:
- Implement a custom grant_type to replace an the password grant
- In screenshot below, for scenario 1) and 2), instead of oob, the registered scope will be granted.
E.g. If you want change the scope behavior for all grant types at one place, manipulate the scope.requested before calling OTK Scope Issuing may give you the desired result.
- In the screenshot below, add logic before calling OTK Scope issuing assertion, check if ${request.http.parameter.scope} is empty, if so set it to scope.registered. This will make scenario 2 always grant registered scope when no scope is requested
For Question 2: OTK does support multiple scope values, If the response granted scope is "oob", it could be because the condition falls to the scenario 1 or 2. remember the string is case sensitive.
Sincerely,
Stephen Hughes
Broadcom Support