Manage API Client Access for internal applications - scope not restricted?

[Charles Cooke]

We are using 3-legged OAuth for our internal application.  We would like to manage the scope as discussed here (http://www.google.com/support/a/bin/answer.py?answer=162106).  However, it seems that no matter what scope we use in the 'One or More API Scopes' section, the authenticating application always has full access to all APIs and scopes.

I understand that the section is titled 'Manage third party OAuth Client access'.  Does this mean that internal applications authenticating with OAuth will always have full access?

[Shraddha Gupta]

It seems that you have 'Two-legged oauth access control' enabled for all APIs in the section "Manage Oauth Domain Key". That is overriding the limited scopes specified  in the section  titled 'Manage third party OAuth Client access'.

Uncheck the 'Two-legged oauth access control', to limit the access to APIs.