For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.

Mapping scope elements

Map custom scope elements to security checks to define application-specific security logic.


An OAuth scope is composed of zero or more scope elements, and each scope element is mapped to zero or more security checks (see OAuth scopes and security checks). We can define custom scope elements for our application, which map to any of the predefined or custom security checks that are available for the application.

The application scope mapping provides multiple advantages.


Map scope elements to security checks by using one of the following alternative methods:


After you successfully map one or more scope elements, we can see your defined scope elements in the Scope-Elements Mapping table on the application Security console page. In addition, we can see the scope-mapping property definition in the application descriptor: in the console, go to the application Configuration Files tab. In the Application-Descriptor JSON File section, we can see a copy of the application-descriptor JSON file. Search for the scopeElementMapping property definition in this file. This definition object contains one or more name/value data pairs of the following format:

"ScopeElement": "[SecurityCheck1 SecurityCheck2 ...]" For example, the following code maps two scope elements:

  1. The UserAuth scope element is mapped to a custom UserAuthentication security check
  2. The SSOUserValidation scope element is mapped to the predefined LtpaBasedSSO security check, and to a custom CredentialsValidation security check.

"scopeElementMapping": { "UserAuth": "UserAuthentication", "SSOUserValidation": "LtpaBasedSSO CredentialsValidation" }

Parent topic: OAuth resource protection