This article describes how you can restrict the use of certain OAuth scopes to certain Okta apps by adding access policies with access rules to the authorization server.
Step 1 — Create Auth Server
https://<your-okta-admin-domain>/admin/oauth2/as & create an auth server:
Step 2 — Create Access Policy
Open the auth server, go to the Access Policies tab & create a policy for the Okta app for which you want to restrict OAuth scopes:
Step 3 — Create Access Rule
Create an access rule within this access policy & mention just the scopes that you want the app to be able to use:
Henceforth, the Okta app won’t be able to use any scopes except the ones listed above.