I’m reading the doc and saw this:
In an extreme case, the user could lie and grant an external application OAuth scopes that he himself doesn’t have permission to (“read all classified documents”). The OAuth Access Token with those scopes wouldn’t help the external application read those documents because it can only act in the name of the user, and that user doesn’t have these access privileges.
I am a bit confused. As far as my experience goes, Access Token has always been considered as a symbol of permission. I don’t understand how a user could lie and be granted an valid Access Token? Shouldn’t the Consent Provider verify user’s permission prior to replying Authorization Server?
I could be wrong though. Any info will be appreciated. Thanks in advance