Hello I have a question regarding writing Automated API tests. Right now we can get a m2m token to hit our services which is easy enough. We grab that with the client credentials grant. The token comes back with all of the permissions we have setup for that particular service.
But specific test cases might want us to not have all of those permissions. For example if we wanted to test that our authorization was working we’d want to hit the endpoint without some of those permissions. I could create multiple applications with different scopes but that doesn’t seem to be a good measure going forward.
How can we approach this scenario? Is there a way to get a m2m token with a specific subset of permissions?