I have three servers: An application, a resource server, and an OAuth(/OpenID connect) server. The application is not a third-party application, so I want to be able to generate an access token that allows the application to log in as the user and grant the application all of the user's privileges.
Should the authorization server be responsible for holding the user's privileges, or the application?
What is the best way to create an access token that allows my application all of the privileges of the user, to interact with the resource server?
Maybe have a look at these resources on authorization in APIs, which discuss both OAuth mechanisms and examples on how fields in business data are used. Post back with any follow up questions:
Preferably name scopes after areas of business data and operations on that data. Different systems thetefore design scopes differently.