OAuth2 scopes were never intended to be an authorization mechanism, and indeed are a bad idea when used as a substitute for a real authorization architecture.
Authentication is a solved problem. But authorization remains a far bigger problem, and is far from solved.
Five principles that any developer solution for application authorization should adhere to.
Embedding your authorization logic inside your application is a constant source of pain. Separating policy from code brings many benefits.
Authorization for SaaS applications is painful for developers, administrators, SecOps, and compliance. It's time to fix this!