However, I'm getting push-back from some of my clients/customers. It seems like they want to be able to just give their users access to my app, and my app only. Then when their users access my app, they expect it to have have full functionality.
Technically, this is doable because I could just use the offline token for everything and build my own graphql proxy. However this just feels... dirty.
It is against any rules to implement things this way? Should I just stick to my guns and tell them that they need to give their users the full permissions that my app needs? Obviously, I want to make things as easy as possible for my customers.