I’ve read this thread: Client credentials request ignores scope parameter? - #2 by nicolas_sabena which says this is intentional - but i’m not sure I agree with the reasoning.
The rationale behind this decision is that the requester already has the credentials (the “keys to the kingdom”) to ask for any scope, so there’s no point in restricting the scopes by default.
But thinking about someone MITM’ing that token, or it being leaked in some other way (accidentally logged for example), surely it makes sense to request tokens which have the minimum amount of scopes required to perform the operation (eg principal of least privilege), thus minimising the blast radius if the token was leaked?
Feel free to tell me I’m wrong, I just can’t get my head around why we would effectively create super-user grant token for all operations when we could have the ability to request smaller permissions.