Scope-based policies
Scope-based policies let you attach authorization rules directly to a scope. When a client asks for a token that includes the scope, or when a user is asked to consent to it, SecureAuth evaluates the attached policy and decides whether the scope can be granted. The decision happens at token issuance, so the access token reflects the outcome.
Use scope-based policies when a specific scope needs conditional access rules, rather than applying blanket rules to the whole application or service.
Policy types you can attach to a scope
SecureAuth lets you attach the following policies to a scope:
| Parameter | What it controls |
|---|---|
| Human Users | Whether the Authorization Code flow can use this scope. When enabled, you can configure a policy for that flow. |
| Machine Users | Whether the Client Credentials flow can use this scope. When enabled, you can configure a policy for that flow. |
| 3rd Party Developers | Whether third-party developers can subscribe an application to this scope. When enabled, you can configure a policy for the subscription flow. |
| Dynamic Client Registration | Whether dynamically registered clients can subscribe to this scope. Use a policy to define the conditions those clients must meet. |
Common use cases
Restrict who can grant a scope
Attach a Client Assignment policy to a scope to limit which clients can be granted that scope. For example, require that only clients with a specific metadata value, or clients registered by a named developer, can be granted a sensitive scope.
Restrict who can consent to a scope
Attach a Consent Grant policy to a scope to control which users can consent to it. For example, require MFA at consent time, or allow consent only for users with a specific attribute or group membership.
Gate third-party developer access
Attach a Developer policy to a scope to require developer attestation, or metadata checks, before a third-party developer can subscribe an application to the scope.
Gate dynamically registered clients
Attach a DCR policy to a scope to validate dynamically registered clients before they can subscribe. Useful in open finance or other ecosystems with federated client registration.
Configuring scope policies
For a walkthrough of restricting grant and consent on a scope, see Restricting access to services using authorization scopes.