Hi @lgdev ,
Thanks for reaching out.
So my first question is how will it work if we ADD a new scope (not remove just add a new scope)?
Regarding your first question, if you add a new scope to your application, it will not affect the existing authorizations and tokens for your clients. Your clients will only need to re-authorize and grant consent for the new scope if they want to use the new functionality that requires the new scope. The existing authorizations and tokens will continue to work as expected for the existing scopes**.**
My second question is what happens when a secret expires?
As for your second question, if a secret expires, it will not invalidate the existing OAuth2 refresh tokens across your client base. The expiration of a secret only affects the ability to generate new access tokens using that secret. Existing access tokens and refresh tokens will continue to work until they expire or are revoked. However, it is important to note that if you do need to generate a new secret, you will need to update your application's configuration to use the new secret, and any clients using your application will need to update their configuration as well.
Hope this will help.
Please remember to "Accept Answer" if answer helped you.