Also, we do have custom claims (we should publish a spec and register them at IANA...) for very coarse-grained authorization that amounts to an application-level firewall logic that lets us isolate workloads by type (think prod vs QA vs dev, but also other things).
No OAuth library on the server side can get that right today (we'd have to contribute to them, which, ok, it's doable, but it takes time). This is one reason that I want to get each claim as a config item I can access in SQL code. Nico --
