I’ve stumbled across Prismatic before but don’t know much about it. Out of curiosity, do you mind sharing what you’ll wire up to Jira with that?
Good questions.
The OAuth 2.0 spec has more capability than what we’ve implemented. For OAuth 2.0, clients could conceivably “register” a set of maximum scopes and then incrementally request “approved” scopes from users. In an imaginary LinkedIn auth exchange, I might have a client that works with both resumes and posts. When I need the resume, I run an auth flow, and you approve. When I need posts, I run another auth flow, and increment up to both.
In our real context, that means what you put into the developer console can be more than what your client actually has. But, our implementation doesn’t really support the incremental additions. So, for security best practice, it would be best if they are the same. The hard constraint is the “approved” scopes can only be a subset of the “registered” scopes. Otherwise, the auth flow will fail (not the API requests).
Now that I understand that Prismatic is probably managing the OAuth flow for you, you might need a quick way to perform the OAuth 2 flow for yourself. Some months ago, I wrote how you might do that using a utility called oauth2c: