Kind of interesting to consider this to be a security consideration. It
depends on whose security is being considered. I have always thought that
the only way for the subject to approach a request for data is as a privacy
threat. The attacker is the "client" every time. Sometimes it is something
at
Hi Justin,
Whether the scopes are known or unknown to the developer, I don't think it
changes the "attack vector" which is to get the client to request more
privilege than it should in a given circumstance. Maybe the attacker has a
way to capture the token once it issues (this of course can be mit
I think we’re used to thinking of scopes in terms of things that a developer
can read and understand, but that’s not always going to be true. For automated
systems like this, the developer isn’t always expected to understand the scope
— they probably don’t even see it in many cases. The client s
