Client Credentials - access to everything?

It seems to me that user flows of OAuth2 are always restricted to the data owned by the actual user. On the other hand, the client credentials flow seems to be less restrictive, allowing access to data of all users. I think it’s due to the fact that the scopes are static. A user-flow app will get read_mail scop, but the token would also contain the userId or something similar. A client credentials app would also get read_mail scope, but this time there is no additional context. Such an app would read everything.

Is my understanding correct? It seems to me that there should be something like “dynamic” scopes, where a daemon app could be granted some scope limited to some specific context (like a user) - instead of read_mail, the app could get read_mail_user253 scope.

What do you think?

Someone with more experience than me will hopefully offer some insight but I would suggest that, it there is a user context involved, you should not be using client credentials. CC is meant for “machine to machine” interaction such as two APIs talking to one another. “read_mail” and “user253” should only ever happen where the user is (or was at some point) part of the context.

The usual model is “user253” delegates the “read_mail” scope to an API, allowing that API to read mail for “user253”. This is encoded in the access token so API cannot read anyone else’s mail (well, the API needs an AT from another user to read that other users email).

Right, but in some cases, you might want to run a cron job running without the user being in front of a computer. In such cases I wish I was able to limit app’s access to particular users only, not all of them.