BenjaminPelletier
commented
4 years ago Group discussion: tabled for larger group. NASA recommends single scope for easiest way to satisfy principle of least privilege. If we have multiple scopes on a token, should be specification on which scopes can be requested in groups. Will discuss different endpoints versus overloading endpoints.
Currently, the API prescribes that access tokens should only have one scope. This prescription should be removed as we do not have a documented reason to impose this limitation, and it will be useful to allow multiple scopes to expand capabilities beyond the standard. For remote ID, we found that adding a scope not specified in the standard would be useful to retrieve enhanced details about a flight for the limited number of Display Providers that could be granted this scope. If access tokens were limited to a single scope, we would have had to create an entirely new endpoint to duplicate the data that is already defined in the flight_details endpoint. We should preserve this flexibility for this API and remove the single scope prescription.