I have a rest api resource that uses spring security oauth2 for authorization. This is an external api for third party clients to use. This resource will be making calls to internal resources that are only used by our applications - no third party access. These internal resources use method level security for fine grained access control. I am using oauth2 on the internal services to provide a security context with the current resource owner (user) so that the spring method level security works.

In my external resource, I am configuring an OAuth2RestTemplate as follows to pass the access token to the internal resource:

Code:
OAuth2ProtectedResourceDetails resource; //injected

OAuth2Authentication auth = (OAuth2Authentication) SecurityContextHolder.getContext().getAuthentication();
OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails)auth.getDetails();
OAuth2AccessToken accessToken = new DefaultOAuth2AccessToken(details.getTokenValue());
OAuth2ClientContext clientContext = new DefaultOAuth2ClientContext(accessToken);
RestTemplate restTemplate = OAuth2RestTemplate(resource,clientContext);
I have a third party client defined in my oauth client details with some scopes that make sense in the external api. I am also giving it access to both the external and internal resources. I then have an internal client defined (which is the OAuth2ProtectedResourceDetails above) which has access to the internal resources and has scopes that make sense in the internal resources.

The issue is that I would like to have some special scope (SCOPE_INTERNAL?) that applies to all of the internal resources and that the internal client has when calling an internal resource. The issue is that the only way I can get this to work is to give the third party client the INTERNAL scope, in addition to the existing scopes for accessing the external resource. (I also need to define both the internal and external resource ids for the third party client, but that isn't really visible to them.) The internal services aren't accessible externally due to network configuration, but I still don't like granting these extra scopes to third party clients. The other slightly cleaner solution is to remove all scopes from the internal services. Is there some way I can widen the scope on the access token when it is used by the internal client. I have considered using the TokenStore to create a new access token for the user with the desired scope, but I am not sure if this is the best solution. Since my goal is simply to access the internal services as a particular user, maybe it makes sense to implement some custom authentication in the internal services and drop oauth altogether for internal resources? Any recommendations?