On the scopes page for an API (and in the help section on scopes), there is a warning-
By default, any user of any application can ask for any scope defined here. You can implement access policies to limit this behavior via Rules.
My question is - what is meant by “By default, any user of any application can ask for any scope defined here”?
In my scenario, we are using “Machine to Machine” authentication. We have specified an API “Test API” with multiple scopes, “test:scope1” and “test:scope2”. When creating an application, we are required to specify which API and which scopes are enabled.
In my testing, tokens are only issued for applications which are enabled for that API, and scopes are limited to the enabled scopes.
Does this mean we are “non-default”, and therefore the warning is not applicable?