For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.

OAuth resource protection

Learn how to configure and customize OAuth protection for your resources.

Protected resources
In the OAuth model, a protected resource is a resource that requires an access token. We can use the MobileFirst security framework to protect both resources hosted on an instance of MobileFirst Server, and resources on an external server. You protect a resource by assigning it a scope that defines the required permissions for acquiring an access token for the resource. See Overview of the MobileFirst security framework. Mobile-application access to protected resources is restricted also by the mandatory application scope.
MobileFirst adapter resources are protected by default, meaning that an access token is required to access such resources even when no scope is explicitly assigned to the resource. We can disable the default resource protection.
The resource scope can contain custom scope elements that are mapped to security checks at the application level.

Note: An empty scope is also a valid scope, and requires an access token.

Unprotected resources
An unprotected resource is a resource that does not require an access token. The MobileFirst security framework does not manage access to unprotected resources, and does not validate or check the identity of clients that access these resources. Therefore, features such as Direct Update, blocking device access, or remotely disabling an application, are not supported for unprotected resources. See Updating Cordova client apps directly and Mobile-application management.

Configuring resource protection

Parent topic: MobileFirst security framework