Third-party client applications are also scoped in their ability to interact with the UAA API.

Consider our original client uaa_admin:

uaa get-client uaa_admin

The output shows that uaa_admin client has many authorities, but scope uaa.none:

{
  "client_id": "uaa_admin",
  "scope": [
    "uaa.none"
  ],
  "resource_ids": [
    "none"
  ],
  "authorized_grant_types": [
    "client_credentials"
  ],
  "authorities": [
    "uaa.admin",
    "clients.read",
    "clients.secret",
    "clients.write",
    "scim.write",
    "scim.read"
    "password.write",
  ],
  "lastModified": 1529652956499
}

Alternately, the uaa-cli-authcode client has a scope openid but authorities uaa.none:

{
  "client_id": "uaa-cli-authcode",
  "scope": [
    "openid"
  ],
  "resource_ids": [
    "none"
  ],
  "authorized_grant_types": [
    "refresh_token",
    "authorization_code"
  ],
  "redirect_uri": [
    "http://localhost:9876"
  ],
  "authorities": [
    "uaa.none"
  ],
  "lastModified": 1529653539556
}