How to Deal With Permissions in OAuth2?fleeting
I already tackled a similar topic in what should I put into those scopes and access tokens claims?
But now that my point of view is different, I would like to add to this reflection.
First, let remember why do we need oauth in the first place.
If you want to deal with something that does not fit that picture, maybe OAuth 2 is not the good candidate.
Although, with some charitable interpretations, a lot of classical flows can be interpreted that way.
For instance, consider the classical admin role that can create, edit and remove other users.
In that case, you can assume that the application is a first party application and the admin’s resources are users. The scope could be scp=admin.