phantom_token_scopes
The `phantom_token_scopes` directive configures the scopes required for accessing resources protected by the Phantom Token NGINX Module.
Description
The phantom_token_scopes directive allows you to specify a space-separated list of OAuth scopes that will be included when generating the WWW-Authenticate header in response to unauthorized requests. This is particularly useful in scenarios where your back-end APIs require certain scopes for permission checks. When configured, if a request reaches an endpoint without proper authorization, NGINX will respond with a 401 Unauthorized status and include the required scopes in the WWW-Authenticate header, prompting clients to provide the necessary credentials with suitable scopes.
The directive must be placed within an NGINX location block, and it accepts a single argument: the space-separated string of scopes. These scopes are then used by the module during token introspection and authentication flows, helping maintain a clear security model. The effective handling of scopes facilitates better communication regarding access control between the client applications and the server, ensuring that clients know what permissions are available or needed for accessing specific resources.
Config Example
location /protected {
phantom_token_scopes "scope1 scope2 scope3";
# Other configurations for the Phantom Token Module
}Ensure that the scopes specified are established and properly recognized by your back-end services.
Avoid spaces and special characters in scope names, as this may cause parsing issues in the request headers.