OpenID hydra
https://www.ory.sh/docs/next/hydra/oauth2#oauth-20-scope
A OAuth 2.0 Scope is not a permission:
A permission allows an actor to perform a certain action in a system: Bob is allowed to delete his own photos.
OAuth 2.0 Scope implies that an end-user granted certain privileges to a client: Bob allowed the OAuth 2.0 Client to delete all users.
The OAuth 2.0 Scope can be granted without the end-user actually having the right permissions. In the examples above, Bob granted an OAuth 2.0 Client the permission (“scope”) to delete all users in his name. However, since Bob is not an administrator, that permission (“access control”) is not actually granted to Bob. Therefore any request by the OAuth 2.0 Client that tries to delete users on behalf of Bob should fail.
我授權程式可以“讀取、刪除“權限,但實際上授權程式能不能真正“讀取、刪除“資料 或是 真正有“讀取、刪除“權限 是不一定有的