Right now the validation of scope is based on 2 things
- The scopes mentioned in OAuth client are checked during requests
- If one of the scope mentioned in OAuth client and request is openid then the id_token jwt signed with client secret is sent along with access token.
Scopes are of limited use for restricting access as of now,
more powerful roles and permission already exists
Only if some how we can connect roles and scope properly. And validate them for all oauth2 requests.
The user from the token is set as logged in user, this directly gives controls to role permission. scope don’t restrict anything there after.
Kind of like GitHub’s OAUTH2