I was curious if somebody could explain to me possible attack scenarios involving granting consent to scopes with OAuth/OIDC. If an application asks for user consent to grant scopes such as “read user data on the API”, does it mean that whoever controls the OAuth/OIDC application (could be an Okta admin) could misuse the consent previously granted by the user? Misuse in that the Okta admin could read data from the API as that user or simply as the Okta application that consent was granted to?
You can read more about consent from the following page.
It is the OAuth/OIDC application that a user is logging into that is getting consent to access the users data. The access token generated would then allow the application access to the data. Consent is a visual indicator for the user to acknowledge given the application this right which the user could deny if they choose.
This would not provide any access for an Okta admin or the Okta system.