I am testing out access policies for API access management. I am creating a set of policies which map groups to API scopes. For example, if a user/service is assigned group A, they can have access to X set of scopes. In addition, I could create another policy which says group B (ie admin), can have access to X set plus Y scopes.
Now, If I were to build an SPA application which handles both A and B groups I would like to log the user in by requesting X + Y scopes up front.
If the user is in group A, I would like the returned granted scopes to only include X (this is silent downscoping I think) despite requesting all up front.
If the user is in group B, then they should be returned a token with scopes X + Y.
My issue here is that if I request all of them up front for a user in group A, then it will always fail because the policy which defines group B fails.