Unable to determine OAuth flow in ScopeRepositoryInterface

[sgoranov]

The current ScopeRepositoryInterface does not expose any context about the OAuth2 grant/flow (e.g., authorization_code, client_credentials, refresh_token) when resolving or validating scopes.

namespace League\OAuth2\Server\Repositories;

interface ScopeRepositoryInterface extends RepositoryInterface
{
    public function getScopeEntityByIdentifier($identifier);
}

This makes it impossible to:

• Restrict or validate scopes per flow
• Return different scope entities depending on the flow

Suggestion

It could be beneficial to extend getScopeEntityByIdentifier() to accept additional context parameters, such as:

• $grantType or $flow: (e.g. "client_credentials", "authorization_code")
• Optionally, client or user context (if applicable)

This enhancement would enable more granular and secure scope validation.

Example Issue

In Client Credentials Flow, there is no end-user authentication - only the client itself is authenticated.
For security and compliance reasons, the openid scope must not be allowed in this flow. However, with the current interface, it’s not possible to reject openid only for client_credentials.

[Sephster]

This is an interesting one I hadn't really thought of before. I think this is probably too specific to implement at this time though if it can be solved in user land code instead by extending classes. If there are a lot of calls for this feature we can of course review but at the moment, I think it is something we wouldn't go forwards with. Thank you for the suggestion though.