IMPORTANT: As we revamp and transition our documentation to this site, you may find the articles you need on Liferay's Help Center.

Analytics Cloud Commerce Courses DXP / Portal DXP Cloud Reference

Documentation Menu

Highlighting

Remove Highlighting

Go Back

• Getting Started
• Site Building
• Content Authoring and Management
• Process Automation
• Using Search
• Collaboration and Social
• Users and Permissions
• System Administration
• Building Applications
• Liferay Internals
• Headless Delivery
  • Using Liferay as a Headless Platform
  • Using OAuth 2.0
    • Creating an OAuth2 Application
    • Authorizing Account Access with OAuth2
    • OAuth2 Scopes
  • Consuming APIs
  • APIs with REST Builder
• Installation and Upgrades

English

• Japanese
• English

• Liferay Learn
• DXP
• Headless Delivery
• Using OAuth 2.0
• OAuth2 Scopes

OAuth2 Scopes

In OAuth 2.0, applications are granted access to limited subsets of user data. These are called scopes (not to be confused with Liferay scopes). They are created in two ways:

1. By administrators, by creating a Service Access Policy for the scope.

2. By developers, by creating a JAX-RS endpoint. By default, scopes are generated based on the HTTP verbs supported by the JAX-RS endpoint. A special annotation overrides this behavior and registers specific scopes.

Creating a Scope for a JSONWS Service

The most common way to create a scope is to create a Service Access Policy prefixed with the name OAUTH2_. This naming convention causes the policy to appear in the OAuth application configuration screen as a scope.

For example, say the application needs access to a user’s profile information to retrieve the email address. To grant the application access to this, go to Control Panel → Configuration → Service Access Policy, and create the policy pictured below.

Note that the policy is not a default policy, and that it grants access only to one method in the UserService. This is a JSONWS web service generated by Service Builder. You can view a list of all available services in your installation at this URL:

http://[host]:[port]/api/jsonws/

Once you create a policy and name it with the OAUTH2_ prefix, it appears in the Scopes tab in OAuth2 Administration.

Now you can select it and save your application.

Creating the Authorization Page

This step is optional. Users need an interface to authorize access to their accounts, and one is provided automatically. If, however, you want to customize the page, you can create an authorization page in your Site.

1. Go to Control Panel → Instance Settings → Security → OAuth2. The one category is labeled Authorize Screen.

   

2. Two defaults appear. The first is the URL to the authorize page. By default, it’s /?p_p_id=com_liferay_oauth2_provider_web_internal_portlet_OAuth2AuthorizePortlet&p_p_state=maximized. This corresponds to an internal portlet.

3. Go to your Site’s Site Builder → Pages screen. Click the () button and choose Private Page. This forces users to log in.

4. Choose the Full Page Application type.

5. Give the page the same name you configured in step 2.

6. Turn the Hidden from Navigation Menu Widget switch on. You don’t want this page showing up in your Site navigation.

7. On the page that appears next, verify the Friendly URL matches the URL you configured in step 2.

8. Under Full Page Application, choose Application Authorization Request.

9. Click Save.

Excellent! Users can use the default or the UI of your design to go through the authorization process. Now that you have the UI and you understand scopes, it’s time to make the authorization process happen in your application.

Not finding what you're looking for?

Pardon our dust as we revamp and transition our product documentation to this site. If something seems missing, please check Liferay Help Center documentation for Liferay DXP 7.2 and previous versions.

Try Liferay's Help Center