Allowed Scopes

In certain situations you may want to restrict which scope can be requested by certain applications. With wicked, this can be done using a setting on the subscription of an application to an API.

Example: An API has three different scopes: read, write and create, and offers only the Client Credentials Flow. Some applications/subscriptions shall only be able to read from the API, others are allowed to request any scope.

This can be achieved by specifying the allowed scopes. Changing allowed scopes can only be done by API Portal administrators, but any user of the API Portal can review the settings on their own subscriptions, by going to the applications they have a subscription for.

Possible Settings

The possible settings for the allowed scopes are the following:

  • All:

    The application can request any scope from the API; depending on the OAuth2 flow which is used, the request is either immediately granted (Client Credentials Flow), or the user has to grant access to the application (Authorization Code Grant and Implicit Grant). The Resource Owner Password Grant requires trusted applications, for which there is a special case (see below).

    This is the default for APIs where either the Authorization Code Grant or the Implicit Grant is enabled.

  • None:

    Applications of which the subscription is set to "None" will never be granted any scope. All access tokens will only ever be for the empty scope. Please note that this does not mean that you will not get any access tokens - it's just that the scope will always be empty (in case you request a valid scope).

    This is the default for APIs which only have the Client Credentials Flow enabled.

  • Select:

    With this setting, a set of scope aspects can be defined on a per-subscription basis. This is the setting which can be used to implement the example from above.

    This setting has to be manually set on a subscription, by an Admin.

Trusted Applications/Subscriptions

For trusted applications/subscriptions, the allowed scopes mode (see previous section) is implicitly set to All. It is not possible to restrain the scope which is granted to a trusted application.