Scope Management
Scope Management: Additional level of permissions or access rights can be defined for each app, as per the business requirements of the customer, using the scope - parameter. cidaas ensures that the defined scope matches with the actual scope allowed for the user, and appropriately grants access to the registered/logged-in user.
cidaas scopes are nothing but the OAuth2 standard based scopes that define authorization for a particular app, or even a particular registration field. – it is a way of limiting an app’s access to a user’s data.
How Scopes Configured in cidaas?
Scopes are associated with Apps and Registration fields are explained below:
How are scopes associated with Apps? Create App - under App Details section.
Let us take a look at how scopes are mapped to registration fields: Registration Setup - Mapping scopes to registration fields
cidaas provides default scopes and Admin users can additionally define custom scopes:
Reference Link Default System Scopes
Reference Link Custom Scopes
Custom Scopes - Add New Scope
To create the custom scopes which is user defined scopes, follow the below procedures:
cidaas Administrator dashboard -> Apps -> “Scope Management”
1. Enter scope key.
2. Select locale from the drop down.
3. Enter a brief description about scope.
4. Select security level from the drop down (public/ confidential).
5. Select Scope Group from the drop down, as in the below screen:
6 . Enable Required User Consent, checkbox.
7. Once user Enable Required User Consent checkbox, the below screen displays,
8 . Click “Save” button. A message window popup.
9 . The scope key is generated and get displayed under “Custom Scopes” (custom scopes are defined by the user’s) section, as in the below screen,
Find the below table for reference:
| Scope Key | Description |
|---|---|
| Scope Key |
Here we define the unique key using canonical representation to define the key value pair or simply enter the value. For e.g, cidaas: register, cidaas: login, profile, email. The key and value we enter can be any string. |
| Security Level |
This determines if the app/fields associated with this scope are public or confidential. Public Scopes can be associated/mapped with all apps – regardless of who created it. Confidential Scopes need a verification from the Administrator. For e.g. when developers need to map scopes to the Apps they create using the developer self-services page |
| Scope Group |
How do we create Scope Groups? Scope Groups Where you can use scope Create Apps |
Edit Custom Scopes
1 . From the existing custom scopes click on the icon edit 
, the below “Edit Scope” screen displays
2 . Once the required changes entered, click “Save” button, a message window popup “Scope Updated Successfully”, click “OK” button, the changes get updated under the custom scope grid table.
To Delete Scope
3 . From the existing custom scopes, click edit and the below screen get displayed, click Delete Scope button.
Default System Scopes
cidaas provides the below standard default scopes:
Super Administrator Scopes
| Scope Key | Description |
|---|---|
| cidaas:admin_read | This scope value requests access to full read access of the cidaas system. Caution!!! this is equivalent to super Administrator read access |
| cidaas:admin_write | This scope value requests access to full read and write access of the cidaas system. Caution!!! this is equivalent to super Administrator access |
| cidaas:admin_delete | This scope value requests access to full delete access of the cidaas system. Caution!!! this is equivalent to super Administrator access |
System Scopes
| Scope Key | Description |
|---|---|
| openid |
Informs the cidaas that the client is making an OpenID Connect request.
Reference Link OpenID Token
|
| profile | This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated at. |
| This scope value requests access to the email and email_verified Claims. | |
| phone | This scope value requests access to the phone_number and phone_number_verified Claims. |
| offline_access | This scope value requests that an OAuth 2.0 Refresh Token be issued that can be used to obtain an Access Token that grants access to the End-User's User Info Endpoint even when the End-User is not present (not logged in). |
| groups | This scope value requests access to user groups Claims. |
| identities | This scope value requests access to user identities Claims. i.e. it gives the details about each social identity ex: Facebook, Google, self. |
| cidaas:register | This scope value requests access to register user from the registration form. |
| cidaas:apps_read | This scope value requests access to reading apps details. |
| cidaas:apps_write | This scope value requests access to creating/updating apps details. |
| cidaas:apps_delete | This scope value requests access to deleting apps. |
| cidaas:scopes_read | This scope value requests access to reading scopes details. |
| cidaas:scopes_write | This scope value requests access to creating/updating scopes details. |
| cidaas:scopes_delete | This scope value requests access to deleting scopes. |
| cidaas:security_key_read | This scope value requests access to reading security key details. |
| cidaas:security_key_write | This scope value requests access to creating/updating security key details. |
| cidaas:security_key_delete | This scope value requests access to deleting security key. |
| cidaas:users_read | This scope value requests access to reading user’s details. |
| cidaas:users_write | This scope value requests access to creating/updating user’s details. |
| cidaas:users_delete | This scope value requests access to deleting users. |
| cidaas:users_invite | This scope value requests access to inviting users. |
| cidaas:users_search | This scope value requests access to searching users. |
| cidaas:roles_read | This scope value requests access to reading roles details. |
| cidaas:roles_write | This scope value requests access to creating/updating roles details. |
| cidaas:roles_delete | This scope value requests access to deleting roles. |
| cidaas:providers_read | This scope value requests access to reading providers details. |
| cidaas:providers_write | This scope value requests access to creating/updating providers details. |
| cidaas:providers_delete | This scope value requests access to deleting providers. |
| cidaas:registration_setup_read | This scope value requests access to reading registration setup details. |
| cidaas:registration_setup_write | This scope value requests access to creating/updating registration setup details. |
| cidaas:roles_delete | This scope value requests access to deleting roles. |
| cidaas:registration_setup_delete | This scope value requests access to deleting registration setup. |
| cidaas:templates_read | This scope value requests access to reading templates details. |
| cidaas:templates_write | This scope value requests access to creating/updating templates details. |
| cidaas:templates_delete | This scope value requests access to deleting templates. |
| cidaas:password_policy_read | This scope value requests access to reading password policy details. |
| cidaas:roles_delete | This scope value requests access to deleting roles. |
| cidaas:password_policy_write | This scope value requests access to creating/updating password policy details. |
| cidaas:password_policy_delete | This scope value requests access to deleting password policy. |
| cidaas:webhook_read | This scope value requests access to reading Webhook details. |
| cidaas:webhook_write | This scope value requests access to creating/updating Webhook details. |
| cidaas:webhook_delete | This scope value requests access to deleting Webhook. |
| cidaas:captcha_read | This scope value requests access to reading captcha details. |
| cidaas:captcha_read | This scope value requests access to reading captcha details. |
| cidaas:captcha_write | This scope value requests access to creating/updating captcha details. |
| cidaas:captcha_delete | This scope value requests access to deleting captcha. |
| cidaas:optin_read | This scope value requests access to reading opt-in details. |
| cidaas:optin_write | This scope value requests access to creating/updating opt-in details. |
| cidaas:roles_delete | This scope value requests access to deleting roles. |
| cidaas:optin_delete | This scope value requests access to deleting opt-in. |
| cidaas:group_type_read | This scope value requests access to reading group type details. |
| cidaas:group_type_write | This scope value requests access to creating/updating group type details. |
| cidaas:group_type_delete | This scope value requests access to deleting group type |
| cidaas:groups_read | This scope value requests access to reading groups details. |
| cidaas:groups_write | This scope value requests access to creating/updating groups details. |
| cidaas:groups_delete | This scope value requests access to deleting groups. |
| cidaas:groups_user_map_read | This scope value requests access to reading user’s groups map details. |
| cidaas:groups_user_map_write | This scope value requests access to creating/updating user’s groups map details. |
| cidaas:groups_user_map_delete | This scope value requests access to deleting user’s groups map. |
| cidaas:hosted_pages_read | This scope value requests access to reading hosted pages details. |
| cidaas:hosted_pages_write | This scope value requests access to creating/updating hosted pages details. |
| cidaas:hosted_pages_delete | This scope value requests access to deleting hosted pages. |
| cidaas:verification_write | This scope value requests access to creating/updating verification details. |
| cidaas:verification_delete | This scope value requests access to deleting verification. |
| cidaas:reports_read | This scope value requests access to reading reports details. |
| cidaas:reports_write | This scope value requests access to creating/updating reports details. |
| cidaas:reports_delete | This scope value requests access to deleting reports. |
OpenID Scope
Openid allows user to use an existing account to sign in to multiple websites, without creating new passwords.
User may choose to associate information with openid that can be shared with the websites, such as a name or email address. With OpenID, user control the information is shared with the websites visited by users.
With openid, password is only given to the identity provider, and that provider then confirms user identity to the websites you visit. Other than your provider, no website ever sees your password, so you don’t need to worry about an unscrupulous or insecure website compromising your identity.
Procedure to prepare Id token with example
1 . Go to Apps -> Scope Management & add the openid scope
2 . Create the Regular WebApp type or edit the existing Regular WebApp
3 . Make sure the openid scope is added to the app
Generate Script
1 . Go to cidaas dashboard-> Apps -> App Settings
2 . Select your app from the Administrator, get the open id configuration information and click on the link to know more about the configuration and functionalities of OIDC client library
Simple Login Page
var settings = {
authority: 'https://sampleeshop.com',
client_id: 'c74131d6-c037-47e9-bcc2-9cb8a4ce55fc',
redirect_uri: 'https://sampleeshop.com/resume-callback.html',
post_logout_redirect_uri: 'https://sampleeshop.com',
popup_post_logout_redirect_uri: 'https://sampleeshop.com/logout-callback.html',
silent_redirect_uri: 'https://sampleeshop.com/resume-callback.html',
response_type: 'id_token token',
scope: 'openid email roles profile',
mode: 'redirect'
};
Silent Login
To perform silent login: call signinSilent () by passing the state as parameter.
this.usermanager.signinSilent({
state: 'state'
}). then(function () {
console.log("signed in");
window.location = "/";
});
If you are already logged in, you will be redirected directly to your specified callback URL.
Result
3 . When we open the web page and click on login
4 . We land on the cidaas-sample shop login page.
5 . After login you will get code in the URL query string
6 . Use that code to generate the access_token and id_token. The screen below shows the postman UI, where the code is pasted (under” Request Body” section).
Note The id_token is issued only when the openid scope is present.
7 . Check the Id token: For this you can use any URL encoder/decoder available online to see the information represented by the id token. Example ( https://www.jsonwebtoken.io/ )
8 . Adding more scopes: adding profile will give these details in the id token name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
9 . Get Access token: you will receive the following result
