Skip to main content
For Authlete 2.x documentation, see 2.x version.
Scope attributes are arbitrary key-value pairs associated with a scope. Each scope can have multiple attributes, which can be used for making authorization decisions or other processing in your authorization server. Authlete also provides predefined scope attributes for system settings. The key and value of a scope attribute are strings, and multiple attributes can be assigned to a single scope.
This feature is available since Authlete 2.0.

How to Create Scope Attributes

To create scope attributes for a service:
  1. Log in to the Authlete Management Console.
  2. Navigate to Service Settings > Tokens and Claims > Advanced > Scope.
  3. In the Supported Scopes section, click the Add button.
  1. In the Add/Edit Supported Scope dialog:
    • Enter a Scope Name and Description.
    • In the Scope Attributes section, click Add.
    • Enter the Key and Value for the scope attribute.
      • Example: Key = attr_key1, Value = attr_value1.
    • Click Add to save the attribute.
  1. Click Save Changes to apply the changes.

Predefined Scope Attributes

The following scope attributes are predefined by Authlete for special purposes:
Attribute KeyAttribute ValueDescription
access_token.durationnumberConfigures access token duration for each scope.
refresh_token.durationnumberConfigures refresh token duration for each scope.
fapirEnables the FAPI read-only API profile.
fapirwEnables the FAPI read-and-write API profile.
regexregular expressionEnables a scope string with a dynamic value as part of it.
fapi2spEnables the FAPI 2.0 Security Profile.
fapi2ms-authreqEnables the FAPI 2.0 Message Signing profile for Authorization Requests.
fapi2ms-authresEnables the FAPI 2.0 Message Signing profile for Authorization Responses.

How to Use Scope Attributes

Scope attributes can be utilized for various use cases, such as tagging risk levels to scopes or specifying required ACRs for granting a scope. In addition to custom use cases, you can leverage the predefined scope attributes provided by Authlete for specific system-level functionality.

The authorization response

The authorization response from Authlete from /api/auth/authorization endpoint includes the scope attributes as the response body below 
{
    "type": "authorizationResponse",
    "resultCode": "...",
    "resultMessage": "...",
    "acrEssential": false,
    "action": "...",
    "client": {...},
    "clientIdAliasUsed": false,
    "maxAge": 0,
    "responseContent": "...",
    "scopes": [
        {
            "defaultEntry": false,
            "description": "A permission to request an OpenID Provider to issue an ID Token. See OpenID Connect Core 1.0, 3.1.2.1. for details.",
            "name": "openid"
        },
        {
            "defaultEntry": false,
            "name": "payment"
        }
    ],
    "service": {
        ...
        "supportedScopes": [
            {
                "defaultEntry": false,
                "description": "A permission to request an OpenID Provider to issue an ID Token. See OpenID Connect Core 1.0, 3.1.2.1. for details.",
                "name": "openid"
            },
            {
                "attributes": [
                    { "key": "meta", "value": "this profile requires a second factor authentication" },
                    { "key": "fapi", "value": "rw" }
                ],**                "defaultEntry": false,
                "name": "payment"
            },
            ...
        ],
        ...
    }
}

Using Java Authlete library

The following code snippet of an authorization server is an example using Authlete’s POST /auth/authorization for parsing an authorization request from a client, and doing something  based on attributes of scopes included in the request. 
// Call Authlete /api/authorization API.
AuthorizationResponse res = callAuthorizationAPI();

// Get scopes contained in the original authorization request.
Scope[] scopes = res.getScopes();

if (scopes == null || scopes.length() == 0) {
    return;
}

// Check each scope's attributes.
for (Scope scp in scopes) {
    // Get the scope attributes of the scope.
    Pair[] attributes = scp.getAttributes();

    if (attributes == null || attributes.length() == 0) {
        continue;
    }

    // Check each attributes.
    for (Pair attr in attributes) {
        // The key of the attribute.
        String key = attr.getKey();

        // The value of the attirbute.
        String value = attr.getValue();

        // If the key is the target one.
        if ("targetkey".equals(key)) {
            // Do something with the value.
            doSomething(value);
        }
    }
}