{"id":"oauthclient-scope-restriction-allowlist","text":"OAuthClient scope restrictions use an allowlist model: any matching restriction allows the scope; if no restriction matches, the scope is denied.","truth_value":"IN","source":"entries/2026/03/05/en-documentation-openshift_container_platform-417-html-oauth_apis-oauthclient-oa.md","source_url":"","source_hash":"37dfbea5ca863bb3","justifications":[],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"oauthclient-scope-restriction-allowlist","truth_value":"IN","reason":"premise"}]}}