Appibase uses OAuth 2.0 Scopes to determine the actions your application is allowed to perform on the Resource Server.
Scope is a mechanism in OAuth 2.0 to limit an application's access to protected resources.
When creating your OAuth application within your Organization Account, the choice of whether it’s an Amin application or not will determine the relevant scopes.
Newly created OAuth applications will have the relevant scopes depending on whether it’s a Storefront application accessing the Storefront API or an Admin application accessing the Admin API.
Each application type is created with its relevant scopes:
Application | API | Scopes |
---|---|---|
Storefront | Storefront API | storefront, client, openid, profile, email |
Admin | Admin API | admin, client, openid, profile, email |
A Client application is required to specify the scope of the access request using the "scope" request parameter.
Scope | Description |
---|---|
storefront | Required for the Storefront Application. |
admin | Required for the Admin Application. |
client |
Required for the Client Credentials grant type. Determines that the Resource Owner is the Client application. |
openid |
Required for the Authorization Code grant type. Determines that the Resource Owner is an End-User and that the Access Token response will include the ID Token. |
profile |
Optional for the Authorization Code grant type. Applicable with the "openid" scope only. Determines that the End-User’s name will be included in the ID Token as well as the UserInfo endpoint. |
Optional for the Authorization Code grant type. Applicable with the "openid" scope only. Determines that the End-User’s email will be included in the ID Token as well as the UserInfo endpoint. |
When requesting an Access Token, the included scopes will not only depend on whether it’s made by a Storefront or Admin application but also on the Authorization grant type or flow.
Each Access Token request requires a minumum of two scopes to be included in the scope parameter.
Application | Grant Type | Required Scopes | Optional Scopes |
---|---|---|---|
Storefront | Authorization Code | storefront openid | profile email |
Client Credentials | storefront client | ||
Admin | Authorization Code | admin openid | profile email |
Client Credentials | admin client |
Any incorrect combination will result into an unsuccessful token request.
For instance, including the scope parameter "admin openid" for the Authorization Code grant flow but with a Storefront client credentials will not be authorized.
Similarly, including the scope parameter "admin openid" with an Admin client credentials but for the Client Credentials grant flow will not be authorized either.