Dynamic scopes in ACP

Description of the dynamic scope concept in ACP

Dynamic scope concept

Building a client application that uses the OAuth-based authorization, you need to limit the access that the client application have. The typical way to restrict that access is to utilize the concept of scopes represented as a special access token claim that has a set of governance and privacy workflows connected to it.

The API or application owner usually defines scopes as simple nouns or verbs describing actions that the client application can perform using the so-called “dot” notation.

Examples of scopes using the dot notation

  • accounts.list
  • transactions.manage
  • users.delete

Such scopes are perfect if you want to control access at the coarse-grained level. However, what can pose a challenge for the client application developer is restricting access to a specific object or intent. If the developer is aware that the next set of operations relates to a single item, such as a specific account or user, they might want to restrict the authorization access token to this action or intent. It can be done by including a reference to the object as a part of the scope. Example:

Examples of scopes using the dot notation and the object identifier

  • account.list.05542
  • transaction.manage.433212
  • user.delete.2321

To facilitate this type of scenarios, Cloudentity supports the mechanism of dynamic scopes enabling the wildcard-based definition of scopes in addition to defining them one-by-one with their explicit authorization request.

Dynamic scope purpose

With dynamic scopes, your authorization flows get fine-grained and simplified, so does your access to the clients. The use of dynamic scopes not only speeds up and facilitates the process of defining scopes but also enables you to build your policies more efficiently.

Combining this capability with the Cloudentity intelligent policy-based scope governance enables a shift of the authorization logic from the application code to your Cloudentity authorization server offloading your developers and accelerating the application creation.

How it works

Here’s a basic authorization flow using dynamic scopes:

  1. ACP administrator defines a dynamic scope in wildcard form account.* as part of the protected service/resource.

  2. Client asks for scope account.1234.

  3. ACP matches the requested scope to the wildcard (dynamic) one defined by the administrator.

  4. ACP applies the scope governance policies attached to the account.*.

  5. Optionally consent screen displays account.1234 to the users so that they know what account the client requested access to.

Dynamic scope syntax

The syntax for dynamic-scope names uses dot notation with generic form templates including scope parameters, for example account.*, where * represents a wildcard allowing multiple scope-name interpretations.

There are two elements in the scope name template:

  1. Scope root, which is a fixed core of the dynamic scope name, for example account or users

  2. Scope wildcard (*), which is an adjustable extension to the scope root allowing to retrieve a specific requested scope.

scopes[user.*].params[1] returns the first parameter matched by the user.* scope that comes in the access token.

Dynamic scopes matching

See the logic behind the dynamic scopes matching in ACP:

accounts.* matches accounts.read.

accounts.* matches accounts.read.foo.

accounts.read matches accounts.read.

accounts does not match accounts.read.

accounts.read.* does not match accounts.read.

accounts.*.* does not match accounts.read.

accounts.*.* matches accounts.read.own.

accounts.*.* matches accounts.read.own.other.

accounts.read.* matches accounts.read.own.

accounts.read.* matches accounts.read.own.other.

accounts.write.* does not match accounts.read.own.

accounts.*.bar matches accounts.baz.bar.

accounts.*.bar does not accounts.baz.baz.bar.

Scope validators in policies

Scope parameters that match wildcard parameters in the scope name are available in policy validators.


If the administrator defines scope account.*.* and the client requests account.read.1234, the scope policy has access to wildcard-matched scope properties read and 1234, as well as the whole scope name.

Dynamic scope validators have at least three attributes:

  • Parameters available in policy validators


    The number of parameters matches the number of wildcards in the scope name, for example, {{users..}} has two parameters available: {{params.0}} and {{params.1}}.

  • Requested scope name, for example, {{users.1234}}

  • Scope name, for example, {{users.*}}.

Next steps

Further reading