I am using Laravel Passport (Laravel 5.6), using the password grant. I have two clients: app and cms. I want the cms client to be able to read, write and delete. The app client should only be able to read.
Why not use scopes for this? Because the app client will have its username and password, and scope request, hard-coded. So it could in theory be decompiled and the scope altered.
So I need to restrict behaviour according to the client. Is this possible in Laravel Passport?
If your app has user/password it means you could authenticate it user(app) and assign a permission/roles policy you should check this https://laravel-news.com/two-best-roles-permissions-packages
If you want to implement scopes remember they don’t apply directly to the user as in oauth2 basically you are giving permission to an app to access some resources on behalf of the user, check this answer Laravel Passport Scopes
So you could try an authorization flow and basically every time your client needs some specific scope it will ask for authorization to the user, like any app does when the permissions change.
