I'm designing a enterprise infrastructure monitoring application which has customized needs of access control, beyond roles and authorities.
The architecture include multiple nodes of REST API being load balanced, an angular client and an authorization server based on OAuth 2.0 using JWT.
These Rest API nodes are generic and can be run using different configuration properties which will make them work for a different infrastructure which are similar in nature but are separated on the business level. You can think of it as monitoring two different data-centers which are similar in nature but are managed by different group of people due to the scale of infrastructure.
The REST APIs can be run for any of the data-centers by changing some command line arguments.
Then there is an angular client which is made in such a fashion that it can access both of the data-centers' REST API (There is a master dropdown on the top header changing which will basically change the base URL for API hits and hence the datacenter) based on the authorities that signed in user have.
Now the problem part is access control using OAuth 2.0. There are three levels of access control required
So the use cases may include many situations like:
To handle all these scenarios, the angular client will require every user's scope of access so that it can choose to show/hide and restrict access to a particular dashboard or action.
Now the question comes is that many of these access scopes are associated with a web client (angular client in our case) and not directly related to the REST API i.e. many of the authorities that I will be defining will be helpful for the angular client but won't make any sense to any other client (for ex. a python client).
How can I handle such client specific scenarios on the authorization server. Am I thinking in the right direction or do I need to change my perspective?