Is it possible to have an OAuth2 setup involving a central Auth Server and multiple Resource servers having their own access scopes. For example clientApp accesses resource-server-A with scope1,scope2 and access resource-server-B having access scope scope3 scope4.
While this might be possible, how do we show all the above access scopes during authorization time of the clientApp? Is there a standard, OAuth/open-id way to accomplish this?
It is absolutely possible. RFC8707 - Resource Indicators for OAuth 2.0 standardized the common practice, that many Authorization Server implementations adopted over the years, to allow OAuth 2.0 Clients to indicate which resource servers they intend to use an Access Token at.
With RFC8707 in place your Client Application can start an authorization request like
/authorization_endpoint?...&scope=scope1%20scope2%20scope3%20scope4%20&resource=urn:resource-server:A&resource=urn:resource-server:B
Given that both resource servers are registered at the AS it's the AS's job to recognize scope1 and scope2 beloging to resource A, etc. Note that if a scope value is recognized for both resources the result is a cartesian product of all the scopes at all the target services.
It is a best practice to only have Access Tokens for a single resource server and to accomodate that the resource parameter then becomes a parameter for the Access Token Request as well. Combine that with Refresh Tokens and you get a Refresh Token valid to issue Access Tokens for a different resource at a time as you call the Refresh Token grant.