1.4.3.3 Requested scopes and granted scopes
The ‘scope’ attribute lists scopes attached to the token that were granted by the
user.
Normally, these scopes will be identical to what you requested.
- However, users can edit their scopes, effectively granting your application
less access than you originally requested.
- It’s important to handle error cases where a user chooses to grant you less
access than you originally requested. For example, applications can warn or
otherwise communicate with their users that they will see reduced
functionality or be unable to perform some actions.
- Also, users can edit token scopes after the OAuth flow is completed.
- You should be aware of this possibility and adjust your application’s
behavior accordingly.
- Also, applications can always send users back through the flow again to get
additional permission, but don’t forget that users can always say