I have a general question regarding how scopes in the OAuth2 protocol are handled. For easy argumentation lets start with a concrete example:
Lets say I have an OAuth server A which I want to use in order to protect two RESTful APIs R1 and R2. These two services have special scopes that they use to grant a user access to some protected resources. So lets say R1 needs the scope S1 and R2 needs the scope S2 in order to access some restricted resources.
Lets further assume that the OAuth server A makes also use of the scopes email and profile, they are needed to access the user data that the OAuth server itself manages.
Now here is what I'm having trouble to understand. As far as I can see the OAuth server A normally only knows how to handle the scopes that he itself uses (in this case email and profile). But what about the scopes that are required in order to access the restricted functionality on the two APIs (R1 needs S1 and R2 needs S2)?
Do I have to register these scopes manually with the OAuth server (so that it knows that they exist and can grant them should that be needed)? That again would mean that I need to register all scopes of all the APIs that I want to protect/use using the OAuth server.
Are these assumptions correct? If I get something wrong here perhaps someone can help me by explaining how the entire scope handling is normally implemented. I tried to google oauth2 and scopes but there seems to be no good explanation of how exactly scopes are handled in the protocol.
