This document contains a list of the possible scopes in an authentication (Web SSO) or token request (OAuth 2.0), and explains the purpose of each one.
To use several scopes you have to concatenate with “+”.
gam_user_data
This scope allows to share the user's information detailed in the red box on the following picture.
gam_user_additional_data
This scope allows to share the user's dynamic attributes.
This corresponds to the property &Application.ClientAllowGetUserAdditionalData that has to be set to TRUE.
In the following picture it corresponds to sharing the "attributes" property.
gam_user_roles
This scopes allows to share the user's roles.
In the following picture it corresponds to sharing the "roles" property.
session_initial_prop
This scopes allows to share initials properties.
In the following picture it corresponds to sharing the "initial_properties" property.
For more details, see HowTo: Send and receive properties set at login
session_application_data
This scopes allows to share session application data.
In the following picture it corresponds to sharing the "application_data" property.
For more details, see GetApplicationData and SetApplicationData method of GAMSession object
fullcontrol
This scopes allows to share all user data (add all scopes detailed before).
In the IDP and the Client there is the possibility of declaring additional scopes (Additional Scopes), for example if you want to share/request only the email and telephone: user_mail+user_phone.
When using GAMRemote or GAMRemoteREST, if you do not select the "gam_user_data" scope, at least one of these scopes must be included in order to identify the user: user_guid, user_email, user_username or user_external_id, if any of this scopes it's not requested the GAMError 5: "User identification not valid" will be displayed.
The list of additional user scopes is detailed in the red box in the image below.
Also as Additional Scopes you can add the Custom Attributes of a user implemented by each developer.
For example, if the Custom Attributes EmployeeID and Salary were added to the user, the additional scopes would be: user_EmployeeID+user_Salary.
Code example of how to add custom attributes:
&GAMUserAtt = new()
&GAMUserAtt.Id = !"EmployeeID"
&GAMUserAtt.IsMultiValue = False
&GAMUserAtt.Value = !"123100"
&GAMUser.Attributes.Add(&GAMUserAtt)
&GAMUserAtt = new()
&GAMUserAtt.Id = !"Salary"
&GAMUserAtt.IsMultiValue = False
&GAMUserAtt.Value = !"20000"
&GAMUser.Attributes.Add(&GAMUserAtt)
&GAMUserAtt = new()
&GAMUserAtt.Id = !"CompanyID"
&GAMUserAtt.IsMultiValue = True
&GAMUserAttMV = new()
&GAMUserAttMV.Id = !"GX"
&GAMUserAttMV.Value = !"GeneXus"
&GAMUserAtt.MultiValues.Add(&GAMUserAttMV)
&GAMUserAttMV = new()
&GAMUserAttMV.Id = !"GL"
&GAMUserAttMV.Value = !"Globant"
&GAMUserAtt.MultiValues.Add(&GAMUserAttMV)
&GAMUser.Attributes.Add(&GAMUserAtt)
&GAMUser.Save()
The above code creates the Salary, Company and EmployeeID Attributes and assigns sample values to them.
To get the scope according to these attributes, the syntax is as follow: user_<AttributeID>.
For example: user_Salary, user_EmployeeID.
However, the property (&GAMApplication.ClientDoNotShareUserIDs : Boolean) is created, which in the GAM Backoffice appears as "Do not share user IDs" which enables that both the User GUID and the ExternalID of the same are never sent, for this case a GUID is generated for this Client and it is returned in the external_id field.
In additive also creates the property (&GAMApplication.ClientAuthenticationRequestMustIncludeUserScopes : Boolean), which in the GAM Backoffice appears as "Authentication request must include user scopes?" which enables that when requesting an access_token it is not required to send the Scopes, in this case it will respond with all the Scopes that the application has enabled.
HowTo: Use GAM as an OAuth 2.0 provider
GAM - OAuth 2.0 Endpoints to use GAM as Web IDP Server