OAuth 2 Scopes¶
In OAuth 2.0, applications are granted access to limited subsets of user data. These are called scopes (not to be confused with Liferay scopes). They are created in two ways:
By administrators, by creating a Service Access Policy for the scope.
By developers, by creating a JAX-RS endpoint. By default, scopes are generated based on the HTTP verbs supported by the JAX-RS endpoint. A special annotation overrides this behavior and registers specific scopes.
Creating a Scope for a JSONWS Service¶
The most common way to create a scope is to create a Service Access Policy prefixed with the name OAUTH2_
. This naming convention causes the policy to appear in the OAuth application configuration screen as a scope.
For example, say the application needs access to a user’s profile information to retrieve the email address. To grant the application access to this, go to Control Panel → Configuration → Service Access Policy, and create the policy pictured below.
Note that the policy is not a default policy, and that it grants access only to one method in the UserService
. This is a JSONWS web service generated by Service Builder. You can view a list of all available services in your installation at this URL:
http://[host]:[port]/api/jsonws/
Once you create a policy and name it with the OAUTH2_
prefix, it appears in the Scopes tab in OAuth2 Administration.
Now you can select it and save your application.