How to prevent user to request and grant introspection scope?

[zhuang42]

As my understanding scopes are optionally passed to authorize endpoint, how to prevent an user granting some specificity scopes and the access token. It seems there is no out of box solution from DOT?

[Chappie74]

For that you're going to have to create a custom view that does the token creation and prevent the user from using the /token endpoint that comes with this package. From your view you then make an internal request to the token view with the scope you would like.

Here is an example of how I did it.

[zhuang42]

Thank you @Chappie74, it's a good idea. I am thinking to extend the application model and set a list of scopes, which the user can only grant these scopes defined by applications