The Scope Analyzer Service is responsible for analyzing OAuth 2.0 and OpenID Connect scopes, grouping them by target resource, and classifying individual scopes so they can be handled differently during token acquisition and usage. Each target resource requires its own access token, and correct analysis is a prerequisite for acquiring, caching, and using those tokens correctly.

This service plays a critical supporting role in token acquisition by ensuring that scopes intended for different APIs are never combined into a single token request, and by providing metadata about each scope that downstream services can act upon.

• Analyze a set of requested scopes
• Determine the target resource for each scope
• Group scopes by target resource
• Classify scopes to indicate their relative sensitivity or privilege level
• Produce a structure that allows downstream services to request one access token per resource

The service is intentionally limited to deterministic logic related to scope analysis and must not participate directly in token acquisition or storage.

The Scope Analyzer Service defines the following members:

• AnalyzeScopesAsync

  • Analyzes the provided scopes and groups them by target resource
  • Classifies each scope so it can be treated differently by downstream services
  • Supports asynchronous execution to allow implementations to consult external systems or metadata
  • Returns a dictionary where each key identifies a target resource and the value is a list of analyzed scope objects associated with that resource

Blazorade ID provides a default implementation of the Scope Analyzer Service with synchronous, in-memory logic wrapped in an asynchronous API.

The default implementation applies the following rules:

• Scopes containing a forward slash (/) are treated as resource-specific scopes

  • The resource identifier is derived from the part of the scope preceding the last slash
  • The scope is classified using the default classification

• Scopes without a slash are treated as Microsoft Graph scopes

  • These scopes are grouped under the Microsoft Graph resource identifier
  • Scopes ending with .All are classified as elevated scopes
  • All other scopes are classified as default scopes

This implementation does not perform any asynchronous operations and instead returns a completed task, preserving low latency while remaining compatible with the asynchronous contract.

The default implementation is specifically designed for scopes defined for application registrations in Microsoft Entra ID and Microsoft Entra External ID, and follows the scope and resource conventions used by those platforms.

The Scope Analyzer Service is defined as an asynchronous service.

This explicitly allows implementations to:

• Consult external systems or metadata sources
• Perform dynamic scope-to-resource resolution
• Apply custom scope classification rules
• Support identity providers with non-static or tenant-specific scope models

Despite being asynchronous, implementations should still aim to:

• Minimize latency, as scope analysis is part of the token acquisition path
• Avoid unnecessary external calls by applying caching where appropriate
• Produce stable and repeatable results for identical inputs

Introducing asynchronous behavior increases the risk of latency, failures, and throttling. Implementations must handle these risks explicitly to avoid destabilizing token acquisition.

Applications may replace the default Scope Analyzer Service implementation to support alternative scope formats, non-Microsoft identity providers, custom resource identification rules, or different scope classification strategies.

Custom implementations should preserve the following invariants:

• One resource identifier per access token request
• Stable and repeatable analysis results
• Deterministic scope classification
• No hidden coupling to token storage or acquisition logic

The Scope Analyzer Service is invoked during access token acquisition, before any interaction with an authorization or token endpoint. Its output determines:

• How many access tokens are requested
• Which scopes are included in each request
• How scopes are treated based on their classification
• Which target resources are contacted

Because this service may perform asynchronous operations, failures or delays will directly impact authentication and authorization flows. Incorrect or unstable scope analysis will result in invalid token requests, authorization failures, or unusable tokens.

• OAuth 2.0 Authorization Framework (RFC 6749)
• OAuth 2.0 Scope Best Practices
• Microsoft identity platform access tokens
• OpenID Connect Core 1.0