Scenario:
- Multiple first-party clients are configured with different valid callback URLs. Say FP-Client-A, FP-Client-B, FP-Client-C, each with a different set of callback URLs.
- We have multiple APIs. Say, API-X, API-Y, API-Z.
- All APIs are for first-party use at this time. Users should never be asked for consent when requesting access token for these APIs.
- However, clients should only be able to get access tokens for specific APIs. ie, FP-Client-A is allowed access to API-X, but no others. FP-Client-C is allowed access to API-X, API-Y, and API-Z. FP-Client-B is allowed access to none of these APIs (only identity).
How do I accomplish this?
The goal is to ensure that a developer (or attack) with only access to FP-Client-A from getting tokens for anything other than API-X. ie, limit the scope of any attack, whether coming from an internal or external entity.