Let me share an example. Let’s say there are 2 client applications — A and B which wants to use the API. A wants to use only read and B wants to use both read, write APIs. We have to create 2 OAuth agents, AgentA only with read scope and AgentB with read,write scope. When A requests an access token, it will get only read scope and similarly B will get both read,write scopes.

Let’s add a new requirement. B needs only read scope in certain scenarios and both read,write scope in other scenarios. In this case, the code should be written in such a way that B should request only read scope for certain scenarios and both read,write scope for other scenarios.

To summarize, the client application has to be written in such a way that only minimum set of scopes are requested.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store