Is there any way to define scope for user also or we can only do it for client?
For example , suppose there are two users bob and john. Both belongs to client Test-App.
Test APP has all the permissions ( all scopes )
So how can assign different permission to Bob and john ???
Or should I create two separate client named as TestApp-1 and TestApp-2 having different scopes and associate the bob and john to these different client accordingly.
Note : I am taking in code perspective not Auth0 manager at Auth0 website.
Can you clarify what you mean with your ending note?
I mean i dont want to set permission in auth manager at auth0 website.
I wanna handle the permission using code.
I’m assuming you’re referring to the per client authorization manager/section that you can encounter within an API and that allows you to authorize certain scopes for certain applications.
Have in mind that the section described above is meant to authorize scopes for client applications that perform client credentials grants. This grant does not involve end-users, the client application authenticates directly using client identifier and secret and receives an access token in accordance to the scopes you manually configured.
For end-user flows that manual configuration does not apply, the client application can request any scope defined by the API. If you want to implement a policy that results in User A being restricted to a set of scopes different than User B then you should use rules for this and implement the dynamic logic that decides who gets what in the rule. See this related question and answer.