Skip to content

Latest commit

 

History

History
46 lines (36 loc) · 3.55 KB

_application-scopes-settings.mdx

File metadata and controls

46 lines (36 loc) · 3.55 KB

import AdvancedPlanBlurbApi from 'src/content/docs/_shared/_advanced-plan-blurb-api.astro'; import APIBlock from 'src/components/api/APIBlock.astro'; import APIField from 'src/components/api/APIField.astro'; import InlineField from 'src/components/InlineField.astro';

The application's relationship to the authorization server, otherwise known as the OAuth server.
The possible values are:

* `First-party` - The application has the same owner as the authorization server. Consent to requested OAuth scopes is granted implicitly. This was the default behavior for all versions of FusionAuth before version 1.50.0.
* `Third-party` - The application is external to the authorization server. Users will be prompted to consent to requested OAuth scopes based on <InlineField>Consent mode</InlineField>.

<AdvancedPlanBlurbApi feature="third-party applications"/>
Controls the policy for prompting a user to consent to requested OAuth scopes. This field is only visible when the application's Relationship is `Third-party`.
The possible values are:

* `Always prompt` - Always prompt the user for consent.
* `Remember decision` - Remember previous consents; only prompt if the choice expires or if the requested or required scopes have changed. The duration of this persisted choice is controlled by the tenant's <InlineField>Remember OAuth scope consent choice</InlineField> configuration.
* `Never prompt` - The user will be never be prompted to consent to requested OAuth scopes. Permission will be granted implicitly as if this were a `First-party` application. This configuration is meant for testing purposes only and should not be used in production.
Controls the policy for handling unknown scopes on an OAuth request.
The possible values are:

* `Allow` - Unknown scopes will be allowed on the request, passed through the OAuth workflow, and written to the resulting tokens without consent. This is the behavior for all versions of FusionAuth before version 1.50.0.
* `Remove` - Unknown scopes will be removed from the OAuth workflow, but the workflow will proceed without them.
* `Reject` - Unknown scopes will be rejected and cause the OAuth workflow to fail with an error. This is the default behavior for new applications.
Controls the policy for handling of OAuth scopes when populating JWTs and the UserInfo response.
The possible values are:

* `Compatibility` - OAuth workflows will populate JWT and UserInfo claims in a manner compatible with versions of FusionAuth before version 1.50.0.
* `Strict` - OAuth workflows will populate token and UserInfo claims according to the OpenID Connect 1.0 specification based on requested and consented scopes.
Configuration for standard scopes provided by FusionAuth. Each provided scope is reserved by FusionAuth and can be individually Enabled and Required. A disabled scope will be treated as unknown by FusionAuth and handled in accordance with the Unknown scope policy. A user must consent to all Required scopes present in an OAuth workflow, but may choose whether or not to consent to Enabled fields that are not Required.