search
how tos

Configure Scopes

Use scopes to set access rights, or permissions, for web apps.

To use the Express console: Go to Applications > App Name > API Scopes.

alt text

With scopes, you define permissions for a web app to limit the app’s abilities and risks. For example, you might configure an app that allows users to manage their own accounts. You can include scopes that allow the user to reset their own password, and edit their username and contact information.

Or you might set up service app that can upload multiple users at once. In this case you could set up scopes that enable only the service to access to the user database.

Using Scopes to Access the Management API

To access information on the Management API, the application must request and be allowed access. The app sends a request through the ForgeRock authorization server. The request goes to the entities it wants to perform RESTful API operations on. These scopes are then granted using an access token returned to the application, which can then be used to pull information from the APIs.

ForgeRock uses the following format to set access rights to the Management API (entity).(action)

  • /apps: For all applications.

    • app.create
    • app.read
    • app.update
    • app.delete
    • app.refresh-secret
  • /password-policy: Global password policy configuration.

    • password-policy.read
    • password-policy.update

  • /me: For the signed-in user.

    • me.read
    • me.update
    • me.update-password

  • /users: User management.

    • user.create
    • user.read
    • user.update
    • user.delete
    • user.reset-password
    • user.recover-username
  • /email-templates: Templates for new users, password reset, and account verification.

    • email-template.read
    • email-template.update

  • /email-server: For configuring an external SMTP server

    • email-server-config.read
    • email-server-config.update
    • email-server-config.delete


  • /hosted-page: For configuring hosted pages with GET and PUT.

    • hosted-page-config.read
    • hosted-page-config.update

  • /team-members: For administrative users.

    • team-member.read
    • team-member.update
    • team-member.invite

Using OIDC Scopes to Access User Information

Apps can use OpenID Connect (OIDC) scopes to access user information either in the ID token or in the /userinfo endpoint. Claims contain one or more pieces of information about a user.

OIDC requests must include the following scope:

  • openid

OIDC requests can also include the following scopes, which are associated with the following voluntary claims.

  • profile: name, family_name, given_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at

  • email: email

  • address: address

  • phone: phone_number

A voluntary claim does not have to be included. For example, if you ask for information about a user without a picture, the app does not have to return that claim for the user.

For more information on OIDC Scopes, see:

For questions or feedback, contact us.