OAuth 2.0 Authentication Server with multiple Resource Servers

Question

I'm trying to implement oauth2 instead basic auth in our API's.

I've built a single authentication server and implemented an access token validation in API #1 and API Server #2.

So my question is, how does oauth2 work with multiple API's?

Currently I can access all API's with a single access_token, but I guess this should not really be..., or am I misunderstanding something?

And I'm not sure about the scopes parameter, this is more a permission thing and does not specify to which api's an access token should be issued.

Answer 1

Assuming you use a single Authorization Server the scopes concept allows you to handle this: you could define a scope per API and have clients ask for one or both scopes. It is perfectly valid and practical OAuth 2.0 to issue an access token that is associated with multiple scopes (i.e. APIs in your case).

Access tokens are issued on a per-client basis so handing out different access tokens to the same client doesn't bring you any security advantage unless the two APIs are controlled by different entities. In any case, the client would have to make a difference in how it requests them, which would be done using scopes again.