OAuth Scopes

Scopes are how OAuth 2.0 expresses the boundaries of a request. When an application asks for access, it names the scopes it needs, such as reading a profile or making a payment, and the user is shown those specific permissions on the consent screen. The issued access token is then limited to what was granted.

Scopes implement the principle of least privilege at the authorization layer. An application should request only the scopes it actually needs, and the resource server enforces that a token cannot do more than its scopes allow.

For CIAM, scopes are central to consent and to integrations. They let customers grant a third party narrow access to their account, and they let a platform keep first-party and partner applications confined to the data and actions each one truly requires.

Sources

• IETF RFC 6749, The OAuth 2.0 Authorization Framework: https://datatracker.ietf.org/doc/html/rfc6749