What is the use of "Allowed OAuth scopes" in the API Product configuration on Apigee?

Question

In order to grant access to an APIs to an Application, you need to define an "API product" and then the "App" can be associated to those API products, granting access. When defining an "API product", there is a configuration parameter called: "Allowed OAuth Scopes", but Is not clear in the Apigee documentation how this parameter is used or what is the use case? When applying a VerifyToken OAuth policy to an API proxy, it seems to ignore this parameter. For example:

1. An App requests an access_token with scope: "foo" at an OAuth token endpoint in Apigee
2. an API product has configured with Allowed Oauth scopes: "bar" in the same Apigee org.
3. App has been granted access to API product in the Apigee UI console
4. then the App tries to access the API using the access_token
5. The API verifies the access_token using a OAuth VerifyToken policy.
6. Regardless of the scope mismatch, the VerifyToken policy will succeed. (scope is ignored)

so, what is the use case?

Answer 1

Allowed OAuth scopes is used to determine the list of scopes that will be allowed for the product. This does not keep the token from being created or verified successfully.

For example, say the Allowed OAuth scopes for the API product are gold, silver, and bronze. Assume the app has been granted access to that product. When the app requests the access token with the scopes silver and tin, an access token will be created with the scope silver, since tin is not an allowed scope.

Similarly, if the request is for tin and copper, the access token will still be created, but with no scope, since neither tin nor copper are allowed scopes. The app needs to be written to pay attention to scope (or lack thereof). There is no automatic rejection or limiting of access done by Apigee based upon a token's scope(s).

In a normal use case, an access token with no scope would either be rejected manually using proxy policies, or would be granted a default level of access. This would be a business decision based upon how you wanted your scopes to be used.