I’m adding my custom ASP.Net WebAPI to Auth0’s API configuration. It’s my understanding I can add scopes to my API inside Auth0. A scope is just a name like read:contacts. When a user to my client authenticates, I can request a set of scopes to be included in the subsequently generated access token. It’s my understanding that my custom ASP.Net WebAPI, which is expecting an access token, can then introspect the token for different scopes and affect functionality according to what scopes are available.
How do you manage scopes entered into Auth0 with how you address scopes inside your custom WebAPI? Is it simply a matter of deciding what scopes your WebAPI needs and making sure Auth0 is setup with the correct set of scopes?
Does this create a tight coupling between your WebAPI and Auth0 in terms of scopes? I can imagine that there could be other apps/services/what-have-ya that want to use your WebAPI but do not use Auth0.
What are the guidelines/best practices for handling scopes between your custom WebAPI and Auth0?