For up-to-date product documentation, see the IBM MobileFirst Foundation Developer Center.
Configure a mandatory application scope
Configure a mandatory application scope to define application-specific authorization logic.
Before you begin
To use custom scope elements in your mandatory application scope, first map the required scope elements to security checks. See Mapping scope elements.
We can define a mandatory scope for our client application. When an application attempts to access a protected resource, the security framework maps the mandatory application scope to security checks. The framework runs these checks (if exist) in addition to the security checks of the requested resource scope. Follow the outlined procedure to define a mandatory application scope.
Note:
- As with any other security scope, the mandatory application scope is not applied when accessing an unprotected resource. See Unprotected resources.
- The access token that is granted for the resource scope does not contain the mandatory application scope. See Structure of the MobileFirst access token.
Procedure
Define the mandatory application scope by using one of the following alternative methods:
- Using the IBM MobileFirstâ„¢ Platform Operations Console (the console)
- Select your application version from the Applications section of the console's navigation sidebar, and then select the application Security tab.
- In the Mandatory Application Scope section, select Create New.
- In the Configure Mandatory Application Scope dialog window, select a scope element or security check from the items in the Select elements and security checks list, and select Add. The selection is from among custom scope elements that were mapped for our application, custom security checks defined in adapters that are deployed to the same MobileFirst Server instance as your application, and the predefined MobileFirst security checks.
Repeat this step as needed to add more scope elements and security checks to the scope.To undo your configuration and eliminate the mandatory application scope, in the Mandatory Application Scope section of the console's application Security tab, delete all the scope elements that you previously added.
- Editing the application-descriptor file
- Create a local copy of the application-descriptor JSON file. See Application configuration.
- Edit your local copy to define a mandatoryScope property object, and set the property value to a scope string that contains a space-separated list of your selected scope elements:
"mandatoryScope": "ScopeElement1 [ScopeElement2 ...]"A scope element can be the name of a custom scope element that was mapped for our application, a custom security check defined in an adapter that is deployed to the same MobileFirst Server instance as your application, or a predefined MobileFirst security check.
For example, the following definition configures a mandatory application scope that contains the predefined application-authenticity security check (appAuthenticity) and a custom PincodeValidation scope element that was mapped for the application:
"mandatoryScope": "appAuthenticity PincodeValidation"
Deploy your copy of the application-descriptor JSON file to MobileFirst Server. See Application configuration. To undo your configuration and eliminate the mandatory application scope, create a new copy of the application-descriptor file, and delete the mandatoryScope property definition or set the value to an empty string. Then redeploy the descriptor file to the server.
Results
After you successfully configure a mandatory application scope, we can see your defined mandatory application scope in the Mandatory Application Scope table on the application Security console page. In addition, we can see the mandatory-scope property definition in the application descriptor: in the console, go to the application Configuration Files tab. In the Application-Descriptor JSON File section we can see a copy of the application-descriptor JSON file. Search for the mandatoryScope property object in this file.
Parent topic: OAuth resource protection