I have an API (resource server) configured, with a given set of scopes declared.
I have multiple 3rd party Clients configured that use the implicit grant autorisation call flow to get access_tokens on behalf of our users.
Each 3rd party Client has different rights over the resource server and should not be allowed the same inventory of scopes.
I’d like to make sure that a given client can only get access_tokens generated with a narrowed subset of scopes, for which it has autorisation for.
In other words the end-user, through the related 3rd party app, should NOT be able to request certain scopes that are not available for the 3rd party app developer, although they exists at the resource server level.
Obviously i could create a specific version of the resource server with only the authorized scopes and make sure the 3rd party developer targets the right API audience when authorizing the Client, but i’d prefer avoiding this.
Is there a good option to do that?