I noticed a client has both scope and authorities
The client only has scope, but we can consider/use it as an authority(roles). This is because OAuth2 spec doesn’t explain specific usage of scope.
Consider this, a user authorizes Twitter to post a user’s tweet to Facebook. In this case, Twitter will have a scope write_facebook_status. Although user has authority to change it’s own profile but this doesn’t mean that Twitter can also change user’s profile. In other words, scope are client authorities/roles and it’s not the User’s authorities/roles.
web_server_redirect_url
This will be used by authorization server to redirect the request to its original URL or callback(authorization grant) after successful authorization.
access_token_validity
This is the token_access expiration time in seconds. Set to -1 or 0 for infinite. If you set it to 60, then after 1 minute your token_access will be invalid. You have to either request a new token by doing the authorization process or use refresh_token.
refresh_token_validity
This is refresh_token expiration time.