Hi,
Let me start with the sentence that I am new in the OAuth world. Recently, I read all the standards regarding OAuth, OpenID Connect, HOSE etc.
That I come to the some scenario that I just can not find how to cover with OAuth, probably because OAuth is hard to digest at the beginning. :-)
So, let we say that we have:
1. Two services that I want to protect Resource A (Service A, some WebAPI service) and Resource B (Service B, some WebAPI service), and we have Identity Server 3 (the implementation of OpenID Connect (including OAuth 2.0).
2. Resource A have the following scopes: scope_a, scope_b , Resource B have the following scopes: scope_a, scope_c
But here scope_a in Resource A and Resource B are really do not mean the same thing.
Those two services are part of the larger system. And some user should have access to those services but with different privileges.
So when OAuth dance is done the client gets an AccessToken and the client can pass this token to both Service A and Service B
So how to differentiate between those two scopes scope_a (Service A) and scope_a (Service B)?
When those scopes are included in the token, and the token is passed to the Resource, how the Resource know if this token is actually issued for that Resource or some other?