All Products
Search

This Product

    Resource Access Management:Overview of Alibaba Cloud OAuth applications

    Document Center

    Resource Access Management:Overview of Alibaba Cloud OAuth applications

    Last Updated:Mar 25, 2026

    Alibaba Cloud supports the OAuth 2.0 and 2.1 frameworks, which allow client applications to securely obtain delegated access to Alibaba Cloud resources on behalf of a user. This topic provides an overview of the key concepts, common use cases, and supported OAuth scopes.

    How it works: The authorization flow

    The Alibaba Cloud OAuth service uses standard OAuth 2.0 flows, such as the authorization code flow. The general process is as follows:

    1. Authorization request: The client application redirects the user to the Alibaba Cloud authorization server to request access. The request specifies the desired permissions (scopes).

    2. User consent: The authorization server authenticates the user and prompts them to grant or deny the application's request for access.

    3. Authorization grant: If the user grants access, the authorization server redirects the user back to the application with an authorization code.

    4. Token exchange: The application exchanges the authorization code for an access token (and optionally an ID token and refresh token) by making a back-channel request to the authorization server.

    5. Resource access: The application uses the access token to make secure API calls to Alibaba Cloud services on behalf of the user.

    Key concepts

    Concept

    Description

    Resource owner

    The user who owns the resources and grants permission to the application. A resource owner can be an Alibaba Cloud account, a RAM user, or a RAM role.

    Note

    Support for RAM roles as resource owners is available for OAuth applications created after September 10, 2024. To enable this feature for older applications, you can submit a ticket.

    Client application

    The application requesting access to the resource owner's resources. Alibaba Cloud supports the following application types:

    • Web application: A server-side application that runs in a browser.

    • Native application: A desktop or mobile application installed on a device.

    • Server-to-server application: A non-interactive application that accesses services directly, such as for automated provisioning via SCIM.

    Applications can also be classified as first-party (developed within your account) or third-party (developed by another account and installed by you).

    Authorization server

    The Alibaba Cloud OAuth service, which is responsible for authenticating the resource owner, obtaining their consent, and issuing tokens to the client application.

    OAuth scope

    Defines the specific permissions the application is requesting. The issued access token is limited to the scopes granted by the user.

    Identity scopes:

    • openid (Default and required): Grants permission to get a unique, non-PII identifier for the user.

      Note

      The OpenID is a unique identifier for the user but does not contain personally identifiable information (PII) like a username or Alibaba Cloud UID. To retrieve that information, you must also request the aliuid or profile scopes.

    • aliuid: Grants permission to get the user's Alibaba Cloud account and RAM user UIDs.

    • profile: Grants permission to get the user's display name or UPN.

    Resource scopes:

    • /acs/scim: Grants access to the SCIM service for identity provisioning.

    • /acs/alidns: Grants access to Alibaba Cloud DNS APIs.

    • /acs/ccc: Grants access to Alibaba Cloud Call Center APIs.

    • /acs/cloudesl: Grants access to CloudESL APIs.

    • /acs/digitalstore: Grants access to Digital Store.

    • /acs/scsp: Grants access to Smart Customer Service Platform.

    • /acs/cloudgame: Grants access to Cloud Gaming Platform.

    • /acs/aiccs: Grants access to Artificial Intelligence Cloud Call Service.

    • /acs/alimt: Grants access to the Machine Translation service.

    • /acs/easygene: Grants access to Genomics Computing Platform APIs.

    • /acs/mcp-server: Authorizes the Alibaba Cloud MCP Server to call Alibaba Cloud service APIs.

      Note

      The /acs/mcp-server scope is supported only by OAuth 2.1.

    Token

    A security credential issued by the authorization server.

    • ID token: A JWT that contains claims about the user's identity. It cannot be used to access APIs.

    • Access token: A token that is presented to the resource server (such as an Alibaba Cloud API endpoint) to access the user's resources.

    • Refresh token: A long-lived token used to obtain a new access token without requiring the user to log on again.

    Common use cases

    Third-party web application access

    A third-party monitoring service uses OAuth to request read-only access to a user's Elastic Compute Service (ECS) metrics. The user logs on to Alibaba Cloud, consents to the requested permissions, and the application receives an access token to call Cloud Monitor APIs on their behalf.

    Desktop or mobile application integration

    A mobile application for managing Object Storage Service (OSS) buckets uses OAuth to allow users to log on with their Alibaba Cloud account. After the user grants consent, the app gets an access token to list buckets and upload or download objects.

    Automated identity provisioning

    An enterprise uses a third-party identity management solution (like Microsoft Entra ID or Okta) to automate the creation, update, and deletion of RAM users in Alibaba Cloud. The solution is configured as a server-to-server OAuth application with the /acs/scim scope to interact with the RAM SCIM endpoint.

    ID token claims

    If the openid, aliuid, and profile scopes are granted, the returned ID token can contain the following claims:

    Claim

    Description

    Required scope

    sub

    A unique, non-PII identifier for the user. For a RAM role, the value is <RoleID:RoleSessionName> to ensure session uniqueness.

    openid

    aud

    The ID of your OAuth application.

    openid

    iss

    The URL of the authorization server: https://oauth.aliyun.com.

    openid

    exp

    The UNIX timestamp when the token expires.

    openid

    iat

    The UNIX timestamp when the token was issued.

    openid

    aid

    The ID of the Alibaba Cloud account to which the user belongs.

    aliuid

    uid

    The UID of the authenticated principal (Alibaba Cloud account ID, RAM user ID, or RAM role ID).

    aliuid

    type

    The type of the authenticated principal. Valid values: account, user, and role.

    profile

    login_name

    The logon name of the authenticated principal. This claim is returned only for Alibaba Cloud accounts.

    profile

    upn

    The User Principal Name (UPN) of the authenticated principal. This claim is returned only for RAM users.

    profile

    name

    The display name of the authenticated principal. For a RAM role, this is <RoleName:RoleSessionName>. This claim is returned only for RAM users and roles.

    profile