Setting up some machine to machine relations in OAuth reveals some unexpected and (from our point of view) undesireble behavior. Should we really implement hooks to fix this?
- Omitting scope in the request returns all granted scopes for the client (security risk)
- Explicitly requesting the empty scope “”, returns all granted scopes (seems wrong)
- Explicitly requesting one scope. “read”, returns all granted scopes, “read” and “write” (seems wrong)
Is this really the behaviour we should expect from Auth0?
We are relying on requesting as narrow scopes as possible for our machine-initiated communications, partly because the generated tokens may be cached for longer spans of time.