This document contains a list of the possible scopes in an authentication (Web SSO) or token request (OAuth 2.0), and explains the purpose of each one.
To use several scopes you have to concatenate with “+”.
This scope allows to share the user's information detailed in the red box on the following picture.
This scope allows to share the user's dynamic attributes.
This corresponds to the property &Application.ClientAllowGetUserAdditionalData that has to be set to TRUE.
In the following picture it corresponds to sharing the "attributes" property.
This scopes allows to share the user's roles.
In the following picture it corresponds to sharing the "roles" property.
session_initial_prop
This scopes allows to share initials properties.
In the following picture it corresponds to sharing the "initial_properties" property.
For more details, see HowTo: Send and receive properties set at login
session_application_data
This scopes allows to share session application data.
In the following picture it corresponds to sharing the "application_data" property.
For more details, see GetApplicationData and SetApplicationData method of GAMSession object
This scopes allows to share all user data.
In addition, you can request as much as possible from the user.
Since GeneXus 18 upgrade 6 it's possible to use one scope for every property from the red box in the following picture.
For Example: if you want to share only the email and the phone: user_email+user_phone.
You can also specify the list of the dynamic attributes.
For example: if it's have an a dynamic property &GAMUserAtt.Id = !"EmployeeID"
The syntax to obtain these scopes is as follows: user_EmployeeID.

Also, the user can have Custom Attributes, to request those attributes, for example if the user has an ID,Company and a Salary:
&GAMUserAtt = new()
&GAMUserAtt.Id = !"EmployeeID"
&GAMUserAtt.IsMultiValue = False
&GAMUserAtt.Value = !"123100"
&GAMUser.Attributes.Add(&GAMUserAtt)
&GAMUserAtt = new()
&GAMUserAtt.Id = !"Salary"
&GAMUserAtt.IsMultiValue = False
&GAMUserAtt.Value = !"20000"
&GAMUser.Attributes.Add(&GAMUserAtt)
&GAMUserAtt = new()
&GAMUserAtt.Id = !"CompanyID"
&GAMUserAtt.IsMultiValue = True
&GAMUserAttMV = new()
&GAMUserAttMV.Id = !"GX"
&GAMUserAttMV.Value = !"GeneXus"
&GAMUserAtt.MultiValues.Add(&GAMUserAttMV)
&GAMUserAttMV = new()
&GAMUserAttMV.Id = !"GL"
&GAMUserAttMV.Value = !"Globant"
&GAMUserAtt.MultiValues.Add(&GAMUserAttMV)
&GAMUser.Attributes.Add(&GAMUserAtt)
&GAMUser.Save()
The above code creates the Salary, Company and EmployeeID Attributes and assigns sample values to them.
To get the scope according to these attributes, the syntax is as follow: user_<AttributeID>.
For example: user_Salary, user_EmployeeID.
However, the property (&GAMApplication.ClientDoNotShareUserIDs : Boolean) is created, which in the GAM Backoffice appears as "Do not share user IDs" which enables that both the User GUID and the ExternalID of the same are never sent, for this case a GUID is generated for this Client and it is returned in the external_id field.
In additive also creates the property (&GAMApplication.ClientAuthenticationRequestMustIncludeUserScopes : Boolean), which in the GAM Backoffice appears as "Authentication request must include user scopes?" which enables that when requesting an access_token it is not required to send the Scopes, in this case it will respond with all the Scopes that the application has enabled.
HowTo: Use GAM as an OAuth 2.0 provider
GAM - OAuth 2.0 Endpoints to use GAM as Web IDP Server