The purpose of OAuth 2.0 scopes is to limit the authorization granted by the user to a client.
The AS-centric AS implements this as follows:
- The client requests a set of scopes when starting an authorization code flow.
- The AS filters all scopes requested with the list of scopes the client is allowed to request.
- The AS presents the filtered scopes to the user during authentication.
- The user decides which scopes to grant through local or remote consent.
- The AS filters the list of granted scopes through the Granted Scopes Processor.
- All scopes granted are added to the resulting tokens.