If I have multiple APIs (represented by multiple scopes), I have to include all of them into scopes when users log in? That would end up huge long list of strings
The number of scopes will also appear in the user consent screen if it is the user’'s time to log in. This will also have huge list on the user consent screen. In addition, my backend APIs are supporting the front end (Angular) app, why the user needs to consent it? I think that Users only need to consent to their social profile, is it?
If I have multiple APIs (represented by multiple scopes), I have to include all of them into scopes when users log in? That would end up huge long list of strings
Yes, but… if you end up with a huge list, you need to ask yourself two things:
Are the scopes defined too fine grained?
Does the application really need access to all the defined scopes?
The number of scopes will also appear in the user consent screen if it is the user’'s time to log in. This will also have huge list on the user consent screen. In addition, my backend APIs are supporting the front end (Angular) app, why the user needs to consent it? I think that Users only need to consent to their social profile, is it?
OAuth2 and the concept of scopes were created to solve the problem of delegated authorization (when a third-party application requests consent from the user to access their consent). If you build both the application and the API, the application is referred to as a “first-party client”, for which you can skip consent (in the same way like when you don’t need to consent the Gmail to access your emails).
Take a look here for instructions on how to skip the consent screen in these cases.