Scope Management

Scope Management: Additional level of permissions or access rights can be defined for each app, as per the business requirements of the customer, using the scope - parameter. cidaas ensures that the defined scope matches with the actual scope allowed for the user, and appropriately grants access to the registered/logged-in user.

cidaas scopes are nothing but the OAuth2 standard based scopes that define authorization for a particular app, or even a particular registration field. – it is a way of limiting an app’s access to a user’s data.

How Scopes Configured in cidaas?

Scopes are associated with Apps and Registration fields, as in the below daigram:

How are scopes associated with Apps? Create App - under App Details section.

Let us take a look at how scopes are mapped to registration fields: Registration Setup - Mapping scopes to registration fields

cidaas provides default scopes and Admin users can additionally define custom scopes:

Reference Link Default System Scopes
Reference Link Custom Scopes

Custom Scopes - Add New Scope

To create the custom scopes which is user defined scopes, follow the below procedures:

cidaas Administrator dashboard -> Apps -> “Scope Management

1. Enter scope key.

2. Select locale from the drop down.

3. Enter a brief description about scope.

4. Select security level from the drop down (public/ confidential).

5. Select Scope Group from the drop down, as in the below screen:


**6 .** Enable Required User Consent, checkbox.

7. Once user Enable Required User Consent checkbox, the below screen displays,

8 . Click “Save” button. A message window popup.

9 . The scope key is generated and get displayed under “Custom Scopes” (custom scopes are defined by the user’s) section, as in the below screen,

10 .If the Required User Consent checkbox is selected, then under the custom scopes the user consent icon gets changed to

or else the icon will be in .

Find the below table for reference:

Note prompt window will appear only if the option Prompt Approval Enabled is activated in the UpdateApp Screen. For example: this is how the user is informed about what data the App is going to have access to


Scope Key Description
Scope Key Here we define the unique key using canonical representation to define the key value pair or simply enter the value.
For e.g, cidaas: register, cidaas: login, profile, email. The key and value we enter can be any string.
Security Level This determines if the app/fields associated with this scope are public or confidential.
Public Scopes can be associated/mapped with all apps – regardless of who created it.
Confidential Scopes need a verification from the Administrator. For e.g. when developers need to map scopes to the Apps they create using the developer self-services page
Scope Group How do we create Scope Groups? Scope Groups
Where you can use scope Create Apps

Edit Custom Scopes

1 . From the existing custom scopes click on the icon edit , the below “Edit Scope” screen displays

2 . Once the required changes entered, click “Save” button, a message window popup “Scope Updated Successfully”, click “OK” button, the changes get updated under the custom scope grid table.

To Delete Scope

3 . From the existing custom scopes, click edit and the below screen get displayed, click Delete Scope button.

Default System Scopes

cidaas provides the below standard default scopes:

Super Administrator Scopes

Scope Key Description
cidaas:admin_read This scope value requests access to full read access of the cidaas system. Caution!!! this is equivalent to super Administrator read access
cidaas:admin_write This scope value requests access to full read and write access of the cidaas system. Caution!!! this is equivalent to super Administrator access
cidaas:admin_delete This scope value requests access to full delete access of the cidaas system. Caution!!! this is equivalent to super Administrator access

System Scopes

Scope Key Description
openid Informs the cidaas that the client is making an OpenID Connect request.
Reference Link OpenID Token
profile This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated at.
email This scope value requests access to the email and email_verified Claims.
phone This scope value requests access to the phone_number and phone_number_verified Claims.
offline_access This scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token that grants access to the End-User's User Info Endpoint even when the End-User is not present (not logged in).
groups This scope value requests access to user groups Claims.
identities This scope value requests access to user identities Claims. i.e. it gives the details about each social identity ex: Facebook, Google, self.
cidaas:register This scope value requests access to register user from the registration form.
cidaas:apps_read This scope value requests access to reading apps details.
cidaas:apps_write This scope value requests access to creating/updating apps details.
cidaas:apps_delete This scope value requests access to deleting apps.
cidaas:scopes_read This scope value requests access to reading scopes details.
cidaas:scopes_write This scope value requests access to creating/updating scopes details.
cidaas:scopes_delete This scope value requests access to deleting scopes.
cidaas:security_key_read This scope value requests access to reading security key details.
cidaas:security_key_write This scope value requests access to creating/updating security key details.
cidaas:security_key_delete This scope value requests access to deleting security key.
cidaas:users_read This scope value requests access to reading user’s details.
cidaas:users_write This scope value requests access to creating/updating user’s details.
cidaas:users_delete This scope value requests access to deleting users.
cidaas:users_invite This scope value requests access to inviting users.
cidaas:users_search This scope value requests access to searching users.
cidaas:roles_read This scope value requests access to reading roles details.
cidaas:roles_write This scope value requests access to creating/updating roles details.
cidaas:roles_delete This scope value requests access to deleting roles.
cidaas:providers_read This scope value requests access to reading providers details.
cidaas:providers_write This scope value requests access to creating/updating providers details.
cidaas:providers_delete This scope value requests access to deleting providers.
cidaas:registration_setup_read This scope value requests access to reading registration setup details.
cidaas:registration_setup_write This scope value requests access to creating/updating registration setup details.
cidaas:roles_delete This scope value requests access to deleting roles.
cidaas:registration_setup_delete This scope value requests access to deleting registration setup.
cidaas:templates_read This scope value requests access to reading templates details.
cidaas:templates_write This scope value requests access to creating/updating templates details.
cidaas:templates_delete This scope value requests access to deleting templates.
cidaas:password_policy_read This scope value requests access to reading password policy details.
cidaas:roles_delete This scope value requests access to deleting roles.
cidaas:password_policy_write This scope value requests access to creating/updating password policy details.
cidaas:password_policy_delete This scope value requests access to deleting password policy.
cidaas:webhook_read This scope value requests access to reading Webhook details.
cidaas:webhook_write This scope value requests access to creating/updating Webhook details.
cidaas:webhook_delete This scope value requests access to deleting Webhook.
cidaas:captcha_read This scope value requests access to reading captcha details.
cidaas:captcha_read This scope value requests access to reading captcha details.
cidaas:captcha_write This scope value requests access to creating/updating captcha details.
cidaas:captcha_delete This scope value requests access to deleting captcha.
cidaas:optin_read This scope value requests access to reading opt-in details.
cidaas:optin_write This scope value requests access to creating/updating opt-in details.
cidaas:roles_delete This scope value requests access to deleting roles.
cidaas:optin_delete This scope value requests access to deleting opt-in.
cidaas:group_type_read This scope value requests access to reading group type details.
cidaas:group_type_write This scope value requests access to creating/updating group type details.
cidaas:group_type_delete This scope value requests access to deleting group type
cidaas:groups_read This scope value requests access to reading groups details.
cidaas:groups_write This scope value requests access to creating/updating groups details.
cidaas:groups_delete This scope value requests access to deleting groups.
cidaas:groups_user_map_read This scope value requests access to reading user’s groups map details.
cidaas:groups_user_map_write This scope value requests access to creating/updating user’s groups map details.
cidaas:groups_user_map_delete This scope value requests access to deleting user’s groups map.
cidaas:hosted_pages_read This scope value requests access to reading hosted pages details.
cidaas:hosted_pages_write This scope value requests access to creating/updating hosted pages details.
cidaas:hosted_pages_delete This scope value requests access to deleting hosted pages.
cidaas:verification_write This scope value requests access to creating/updating verification details.
cidaas:verification_delete This scope value requests access to deleting verification.
cidaas:reports_read This scope value requests access to reading reports details.
cidaas:reports_write This scope value requests access to creating/updating reports details.
cidaas:reports_delete This scope value requests access to deleting reports.

OpenID Scope

Openid allows user to use an existing account to sign in to multiple websites, without creating new passwords.

User may choose to associate information with openid that can be shared with the websites, such as a name or email address. With OpenID, user control the information is shared with the websites visited by users.

With openid, password is only given to the identity provider, and that provider then confirms user identity to the websites you visit. Other than your provider, no website ever sees your password, so you don’t need to worry about an unscrupulous or insecure website compromising your identity.

Procedure to prepare Id token with example

1 . Go to Apps -> Scope Management & add the openid scope

2 . Create the Regular WebApp type or edit the existing Regular WebApp

3 . Make sure the openid scope is added to the app

Generate Script

1 . Go to cidaas dashboard-> Apps -> App Settings

2 . Select your app from the Administrator, get the open id configuration information and click on the link to know more about the configuration and functionalities of OIDC client library

Simple Login Page
var settings = {
authority: 'https://sampleeshop.com',
client_id: 'c74131d6-c037-47e9-bcc2-9cb8a4ce55fc',
redirect_uri: 'https://sampleeshop.com/resume-callback.html',
post_logout_redirect_uri: 'https://sampleeshop.com',
popup_post_logout_redirect_uri: 'https://sampleeshop.com/logout-callback.html',
silent_redirect_uri: 'https://sampleeshop.com/resume-callback.html',
response_type: 'id_token token',
scope: 'openid email roles profile',
mode: 'redirect'
};
Silent Login

To perform silent login: call signinSilent () by passing the state as parameter.

this.usermanager.signinSilent({
state: 'state'
}). then(function () {
console.log("signed in");
window.location = "/";
});

If you are already logged in, you will be redirected directly to your specified callback URL.

Result

3 . When we open the web page and click on login

4 . We land on the cidaas-sample shop login page.

5 . After login you will get code in the URL query string

6 . Use that code to generate the access_token and id_token. The screen below shows the postman UI, where the code is pasted (under” Request Body” section).

Note The id_token is issued only when the openid scope is present.

7 . Check the Id token: For this you can use any URL encoder/decoder available online to see the information represented by the id token. Example ( https://www.jsonwebtoken.io/ )

8 . Adding more scopes: adding profile will give these details in the id token name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.

9 . Get Access token: you will receive the following result



results matching ""

    No results matching ""