Requesting scopes if you don't know the user until after auth


If we’re using API access management and we are controlling access with sign on policies, what’s the standard way of knowing what scopes to request if you don’t know your user until they’re authenticated?


Hi @aaromin30

In general, applications request openid, profile, email and groups. This provide general details about the user in order to create the session on SP side.

If you’re using a custom authorization server and you are controlling security through custom scopes in your app - you need to know what to request in order to hit that application policy rule.

If I have 7 different custom scopes and 7 different rules in my policy, the user must be in the corresponding group that it applies to, and the scope requested MUST match what’s in the rule. The problem comes with… if I don’t know who the user is, how do I request the correct scope? Is there a standard pattern for this? Like requesting an access token with groups claims and hitting the /userinfo endpoint to return group data, then getting another access token with the correct scopes requested to get them returned in the token?