Running into a weird scope issue with the genesyscloud_oauth_client resource. I’m trying to restrict a client to specific divisions for a multi-tenant BPO setup, but the token it generates still sees everything.
Here’s the config I’m pushing:
resource "genesyscloud_oauth_client" "bpo_client" {
name = "BPO-Access-Client"
client_type = "confidential"
division_ids = ["div-id-1", "div-id-2"]
scopes = ["view:agent", "edit:conversation"]
}
The resource applies fine, no errors. But when I grab a token and hit /api/v2/users, it returns users from divisions I didn’t list. I checked the API docs and division_ids is supposed to limit the scope, or at least that’s how I read it.
Am I missing a step where I need to explicitly set the division on the token request? Or is this just a bug in the provider? I’ve tried refreshing the state and re-applying, same result. The client shows the correct divisions in the UI, but the token behavior is totally unrestricted. It’s driving me nuts because I need this for security compliance. Any ideas on what I’m doing wrong here?