A scope is a set of rights to a protected resource associated with an access token. Clients can request scopes to access a protected resource. The authorization server can allow or deny such requests.

With scopes, you can set access rights for web apps to limit their abilities and risks. For example, you want to configure an app that allows users to manage their own accounts. You can include scopes that support:

  • Password reset
  • User profile management (Phone numbers and addresses, for example.)

Alternatively, to set up a service app that can upload multiple users, you can set up scopes that support access to the user database.

Implementation can get complex depending on authorization requirements.

OIDC Scopes

Apps can use OpenID Connect (OIDC) scopes to access user information either in the ID token or in the /userinfo endpoint. Claims contain one or more pieces of information about a user.

OIDC requests must include the following scope:

  • openid

OIDC requests can also include the following scopes, which are associated with the following voluntary claims.

  • profile: name, family_name, given_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at

  • email: email

  • address: address

  • phone: phone_number

A voluntary claim does not have to be included. For example, if you ask for information about a user without a picture, the app does not have to return that claim for the user.

You can manage these scopes from the console. Sign in to https://ui-{{tenantName}} as a team member. Navigate to and select an application. You’ll see available and selected scopes under an OIDC Scopes tab:

alt text

Management API Scopes

To access information on the Management API, the application must request and be allowed access. The app sends a request through the ForgeRock authorization server. The request goes to the entities it wants to perform RESTful API operations on. These scopes are then granted using an access token returned to the application, which can then be used to pull information from the APIs.

ForgeRock uses the following format to set access rights to the Management API (entity).(action)

  • /apps: For all applications.

    • app.create
    • app.update
    • app.delete
    • app.refresh-secret
  • /password-policy: Global password policy configuration.

    • password-policy.update

  • /me: For the signed-in user.

    • me.update
    • me.update-password

  • /users: User management.

    • user.create
    • user.update
    • user.delete
    • user.reset-password
    • user.recover-username
  • /email-templates: Templates for new users, password reset, and account verification.

    • email-template.update

  • /email-server: For configuring an external SMTP server

    • email-server-config.update
    • email-server-config.delete

  • /hosted-page: For configuring hosted pages with GET and PUT.

    • hosted-page-config.update

  • /team-members: For administrative users.

    • team-member.update
    • team-member.invite

More Information

If you want more information on OIDC Scopes, see:

If you have questions email [email protected].