Trying to restrict an OAuth client to specific divisions for a multi-tenant setup. The standard client creation endpoint doesn’t seem to support division scoping directly.
- Client type: Public
- Endpoint: POST /api/v2/oauth/clients
- Payload includes
allowedDivisionsarray - Result: Client created but user auth still returns global scope
Where is the division constraint actually enforced in the token generation flow?