I’m trying to implement a client credentials authorisation flow and need to assign different scopes to different applications (service - machine to machine). Not all should be able to see the same data. For example, an internal service can have admin access but an external one would have only read access.
I can see I can add custom scopes to the authorization server but haven’t found a way to link the new scope to certain applications.
in the authorization server policy you can specify who can obtain which scope based on the information available, this way you can prevent your clients from obtaining an access token for a required scope. Then it’s a task for your service applications to verify the token presented to them to grant/deny an operation requested from a client