I want to set up a OAuth 2.0 flow in my code.
I want my code, to be limited to specific scopes (even if someone accidentally writes some extra code to request additional ones).
Let's assume I want my code to be able to only access photos in facebook.
Is the only place to restrict the scope during the request to the authorisation server, e.g.
https://facebook.com/dialog/oauth?response_type=code&client_id=CLIENT_ID
&redirect_uri=REDIRECT_URI&scope=email&state=1234zyx
Or is there a way to enforce this restriction when issuing client_id and client_secret so that the following request will eventually fail?
https://facebook.com/dialog/oauth?response_type=code&client_id=CLIENT_ID
&redirect_uri=REDIRECT_URI&scope=email,posts&state=1234zyx
My use case is for google APIs btw.
Not enough details provided to know what you are trying to accomplish; But generally: