Use OAuth2 scopes to restrict the privileges granted to OAuth2 consumers (as at the moment they get access to everything). One way to do it would be to link a scope to a virtual user or group, which is given permissions. The permissions are then the intersection of those of the virtual and real users'. Scopes in this world would be created ad hoc on request (which isn't too much of a bother as applications can only be created through the admin interface at the moment).
This would allow us to create meaningful names for scopes ("access to data that is restricted to members of the University", "the ability to delete users", etc).
Use OAuth2 scopes to restrict the privileges granted to OAuth2 consumers (as at the moment they get access to everything). One way to do it would be to link a scope to a virtual user or group, which is given permissions. The permissions are then the intersection of those of the virtual and real users'. Scopes in this world would be created ad hoc on request (which isn't too much of a bother as applications can only be created through the admin interface at the moment).
This would allow us to create meaningful names for scopes ("access to data that is restricted to members of the University", "the ability to delete users", etc).