If an user has access to both the applications, he can access all the APIs associated with the scopes. But, I was referring to how we can control the permissions for each application. For ex: Let’s say there is a edit user API which can modify the user profile. Let’s say there is a HR application which can call these APIs and there is another Accounting application which cannot modify user details.

The OAuth agent created for the HR application will have the scopes required to call Edit user APIs where as the OAuth agent created for Accounting app won’t have those scopes. The applications should be designed in such a way that only a user with HR role can login to HR application and modify user details. Similarly, a user with only Accounting role can login only to Accounting app which can’t modify the user details.