All Products
Search
Document Center

Resource Access Management:OAuth application overview

Last Updated:Jul 10, 2026

RAM supports user authentication and application authorization by using the OAuth 2.0 and OAuth 2.1 protocols. This topic describes the key concepts, use cases, and OAuth scopes.

Key concepts

Concept

Description

User

An Alibaba Cloud account, RAM user, or RAM role that logs on to Alibaba Cloud and authorizes an application to access cloud resources.

Note

OAuth applications created before September 10, 2024, do not support RAM roles. To enable this feature for older applications, you can submit a ticket.

Alibaba Cloud OAuth service

Authenticates users, obtains user authorization, and issues tokens to the authorized application.

Client application

An application created in the current Alibaba Cloud account. Users under this account can access the application directly without authorization. Users from other Alibaba Cloud accounts must install and authorize the application first.

You can create the following types of client applications:

  • Web Application: An application that runs in a browser.

  • Native Application: A local application that runs on a desktop or mobile operating system.

  • Server Application: An application that accesses Alibaba Cloud services without user login. This type is supported only for SCIM-based user provisioning applications.

Third-party application

An application created outside your account that you can install and authorize.

Official application

A third-party application provided by an Alibaba Cloud service that any Alibaba Cloud account can install.

OAuth scope

OAuth scopes limit the resources that an application can access on behalf of a logged-on user. The following scopes are supported:

  • openid: Obtains the user's OpenID. Default scope; cannot be removed.

    Note

    The OpenID is a unique user identifier that does not contain the Alibaba Cloud UID or username. To obtain the UID or username, request the aliuid or profile scope.

  • aliuid: Obtains the Alibaba Cloud UID, including the RAM user UID and the parent account UID.

  • profile: Obtains the user's logon name. For an Alibaba Cloud account, returns the logon name. For a RAM user, returns the UPN and display name.

  • /acs/ccc: Accesses Alibaba Cloud Call Center APIs.

  • /acs/cloudesl: Accesses Alibaba Cloud Price Tag APIs.

  • /acs/alidns: Accesses Alibaba Cloud DNS APIs.

  • /acs/scim: Accesses SCIM.

  • /acs/digitalstore: Accesses Digital Store.

  • /acs/scsp: Accesses Smart Customer Service Platform.

  • /acs/cloudgame: Accesses Cloud Gaming Platform.

  • /acs/aiccs: Accesses Artificial Intelligence Cloud Call Service.

  • /acs/alimt: Accesses Machine Translation.

  • /acs/easygene: Accesses Genomics Computing Platform APIs.

  • /acs/mcp-server: Authorizes the official MCP service to call cloud service APIs.

    Note

    The /acs/mcp-server scope is supported only in OAuth 2.1.

Token

Tokens issued by the OAuth service represent the identity of the logged-on user.

  • ID token: Contains user identity information but does not grant access to Alibaba Cloud resources.

  • Access token: Contains user identity and OAuth scope information. You can use this token to access Alibaba Cloud resources within the granted scopes.

  • Refresh token: Used to obtain a new access token without requiring the user to log on again.

Alibaba Cloud API

Applications call Alibaba Cloud APIs to access cloud resources.

Use cases

ID token claims

An ID token that contains the openid, aliuid, and profile scopes includes the following claims.

Parameter

Description

Example

Required scope

exp

The UNIX timestamp when the token expires.

1517539523

openid

sub

A unique, opaque user identifier that does not contain the Alibaba Cloud UID or username.

Note

When the logged-on user is a RAM role, the sub is generated based on the role actor in the format <RoleId:RoleSessionName>. Each actor has an independent sub.

123456789012****

openid

aud

The audience of the token, which is the OAuth application ID.

4567890123456****

openid

iss

The issuer of the token. The value is https://oauth.aliyun.com.

https://oauth.aliyun.com

openid

iat

The UNIX timestamp when the token was issued.

1517533200

openid

aid

The ID of the Alibaba Cloud account to which the user belongs.

177242285274****

aliuid

uid

The ID of the logged-on user. Valid values:

  • Alibaba Cloud account: The ID of the Alibaba Cloud account. The value is the same as the aid claim.

  • RAM user: The ID of the RAM user.

  • RAM role: The ID of the RAM role.

20124982101502****

aliuid

type

The type of the logged-on user. Valid values:

  • account: Alibaba Cloud account

  • user: RAM user

  • role: RAM role

user

profile

login_name

The logon name of the Alibaba Cloud account.

Note

Returned only for Alibaba Cloud accounts.

Alice

profile

upn

The logon name of the RAM user.

Note

Returned only for RAM users.

Bob@examplecompany.onaliyun.com

profile

name

The name of the logged-on user. Valid values:

  • RAM user: The display name of the RAM user.

  • RAM role: <RoleName:RoleSessionName>.

Note

Returned only for RAM users and RAM roles.

Bob

profile