Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
An access token granted an Authenticated Identity OAuth2 Scope may be used to retrieve attributes of the identity currently authenticated by the Data Broker. Attributes defined by this Authenticated Identity OAuth2 Scope may be retrieved as claims from the Open ID Connect /userinfo endpoint or as SCIM attributes from the SCIM /Me endpoint. A Authenticated Identity OAuth2 Scope does not enable access to any SCIM resources or resource types other than the authenticated identity.
↓Parent Component
↓Properties
↓dsconfig Usage
The Authenticated Identity OAuth2 Scope component inherits from the OAuth2 Scope
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ token-name | None |
| ↓ description | |
| ↓ tag | |
| ↓ consent-prompt-text | |
| ↓ consent-operation | |
| ↓ external-identity-operation | |
| ↓ account-operation | |
| ↓ resource-attribute | |
| ↓ resource-operation |
| Description | An OAuth 2.0 access token scope compliant with RFC 6749. The following characters are not permitted: space, '"', '\', '+' and ','. |
| Default Value | None |
| Allowed Values | An OAuth 2.0 access token scope compliant with RFC 6749. The following characters are not permitted: space, '"', '\', '+' and ','. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | A description for this OAuth2 Scope |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | Tags associated with this OAuth2 Scope. Tags are arbitrary additional properties that may be examined by XACML policies. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | This property is shown to the user when prompting for consent. It should convey a user-friendly description of what access is being requested via this scope. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | The actions allowed by this Authenticated Identity OAuth2 Scope on a consent sub-resource. |
| Default Value | None |
| Allowed Values | retrieve-consent - Indicates that this scope may be used to retrieve consents from a resource and to search for consents using a SCIM filter. revoke-consent - Indicates that this scope may be used to revoke consents. retrieve-consent-history - Indicates that this scope may be used to retrieve the consent history of a resource. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The actions allowed by this Authenticated Identity OAuth2 Scope on an external identity sub-resource. |
| Default Value | None |
| Allowed Values | retrieve-external-identity - Indicates that this scope may be used to retrieve the external identities of a resource and to search for external identities using a SCIM filter. unlink-external-identity - Indicates that this scope may be used to unlink an external identity of a resource. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The account management actions allowed by this Authenticated Identity OAuth2 Scope. |
| Default Value | None |
| Allowed Values | reset-password - Indicates that this scope may be used to reset the current user password. retrieve-password-quality-requirements - Indicates that this scope may be used to retrieve the password quality requirements for the current user. retrieve-account-state - Indicates that this scope may be used to retrieve the state of the current user's account. replace-account-state - Indicates that this scope may be used to update the state of the current user's account. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The resource attributes for which this Authenticated Identity OAuth2 Scope allows access. The type of access is determined by the resource-operation property. A value of "*" indicates that all attributes are accessible. Retrieval of common attributes schemas, id, and meta will always be allowed if the resource-operation includes the retrieve operation. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The operations allowed by this Authenticated Identity OAuth2 Scope on the specified resource attributes. |
| Default Value | None |
| Allowed Values | retrieve - Indicates that this scope may be used to retrieve attributes from a resource. modify - Indicates that this scope may be used to modify resource attributes. This corresponds to a SCIM PATCH or PUT operation. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured OAuth2 Scopes:
dsconfig list-oauth2-scopes
[--property {propertyName}] ...
To view the configuration for an existing OAuth2 Scope:
dsconfig get-oauth2-scope-prop
--scope-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing OAuth2 Scope:
dsconfig set-oauth2-scope-prop
--scope-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Authenticated Identity OAuth2 Scope:
dsconfig create-oauth2-scope
--scope-name {name}
--set consent-prompt-text:{propertyValue}
[--set {propertyName}:{propertyValue}] ...
To delete an existing OAuth2 Scope:
dsconfig delete-oauth2-scope
--scope-name {name}