Accessing All Resources
The All authorized resource option enables the client to access any resource within a domain.
Select All to allow your application to request an access
token for trusted or confidential client using the scope
urn:opc:resource:consumer::all.
This option provides a wide
scope. The access token in the response contains the audience
urn:opc:resource:scope:account
and the scope
urn:opc:resource:consumer::all,
which gives access to any of
the services that are in the same domain without requiring explicit association with
target services.
Use only the urn:opc:resource:consumer::all
scope in the request. An
invalid scope error is returned if you attempt to include both the
urn:opc:resource:consumer::all
scope and another scope in the
same request, such as urn:opc:idm:__myscopes__.
In the account mode, clients can get token for any specific resource provided either
urn:opc:resource:consumer::all
or the specific resource is
added in the allowed scopes.
Apart from the scope defined above, you can also specify fine-grained scope as follows:
-
urn:opc:resource:consumer:paas::read
-
urn:opc:resource:consumer:paas:stack::all
-
urn:opc:resource:consumer:paas:analytics::read
The requested scope should always exist and match, either directly or hierarchically, the client's defined allowed scopes to allow the client access to the resource.
For example, a client uses the
urn:opc:resource:consumer:paas:analytics::read
scope in its
request for access to a resource. If the scope directly matches an allowed scope
defined, then in the returned access token the audience is
urn:opc:resource:scope:account
and the scope is
urn:opc:resource:consumer:paas:analytics::read
.
If the allowed scope defined by the client is
urn:opc:resource:consumer:paas::read
, then the client is
allowed to access the resource hierarchically if the client requests one of the
following scopes:
-
urn:opc:resource:consumer:paas::read
-
urn:opc:resource:consumer:paas:analytics::read
However, if the requested scope is urn:opc:resource:consumer:paas:analytics::write
with a different qualifier, then the client isn't allowed access to the resource.
The All option doesn't provide access to the IAM admin APIs. You must continue to use the scope
urn:opc:idm:__myscopes__
to access
the admin APIs.To generate a refresh token in addition to the access token, use the scope
urn:opc:resource:consumer::all offline_access
in the
request.