[OAuth2] How to limit access by 'scope' while setting 'global_credentials' to true

Hi forks,

Suppose I have two services named A and B, both of them have OAuth2 plugin enabled and set ‘global_credentials’ as true.

As I know, a token issued by service B can access service A (that’s what ‘global_credentials’ do)

But my question is that – suppose the scope of A is ''user_profile", and scope of B is “email, user_profile”.
How should I reject the request to service A with token issued by B and the scope is only ‘email’ ?

You can check scope from token. If token contains scope only email then reject else approve. You can decode token and get these details.