When requesting an OAUTH Grant Password token, the user can specify his desired scope. How can one prevent a regular user from requesting and admin scope?
The code exemplifies a malicious request that asks for an admin scope, although he shouldn't have accesss to it.
curl -X POST \
http://a.myapiserver.com/api/oauth/token \
-F grant_type=password \
-F client_id=2 \
-F client_secret=PpMrx32Zow5OcQf491GXXT0dlEzMNuYHt6fe4Wdy \
-F username=regularuser \
-F password=strongpasss \
-F scope=admin
Problem has been solved by adding a middleware ScopeLogic and adding it to the passport::routes.
found the solution here: https://code.i-harness.com/en/q/259c0dd