...
In its easiest case an API has just one scope. However, in more complex senarios this would not be a adequate solution and one needs more granularity. This is solved by defining multiple scopes that provides access to different resources and actions. E.g. a read and a write scope, or scopes for different subdomains. All scopes needs to be predefined in HelseId and the client needs the be provisioned to use them in advance.
Access to multiple
...
APIs (Resources)
Imagine the senario where a client needs access to multiple resources. This could be solved in several ways. Either the client asks for an access token that contains all the scopes it needs, or it ask for several access tokens each with one of the needed scopes. Both of these ways could be correct given the right circumstances. As long as there are mutual trust between the client and all the resources in an token, there are not problem with the approach where all scopes are in the same access token. However, if the trust between the parties are lacking, this approach exposes posibility for a resource to impersonatate the user with the given token and using it to access the other resources in the token. In these cases we usualy talk about circle of trust. Within a circle of trust scopes can coexist in a token, but between circles on should request different tokens to limit the risk of impersonation.
...