When using Spring security to secure an API with oauth is there any distinction between scopes and roles?
For example when using non oauth based role based authorization I might have a user named john with the role admin.
If I'm using oauth then it seems john would just have the scope admin instead.
Am I thinking about this the right way?
Typically you would use scopes to indicate permissions that a user allows a client app. Think how Facebook asks a user if he wants to allow a certain third party to access his resources such as: name, email, profile, list of friends, etc. On the other hand, you would use roles to denote whether the user is just a regular user, or an admin.
So rule of thumb is: if it's about a user granting a client app permission to access resources, then use scopes to represent the authority needed. Otherwise use roles to denote authority in terms of what type of user one is.
