When requesting an OAUTH Grant Password token, the user can specify his desired scope. How can one prevent a regular user from requesting and admin scope?
The code exemplifies a malicious request that asks for an admin scope, although he shouldn't have accesss to it.
curl -X POST \
http://a.myapiserver.com/api/oauth/token \
-F grant_type=password \
-F client_id=2 \
-F client_secret=PpMrx32Zow5OcQf491GXXT0dlEzMNuYHt6fe4Wdy \
-F username=regularuser \
-F password=strongpasss \
-F scope=admin