--- a/mod_http_oauth2/mod_http_oauth2.lua	Wed Jul 13 11:18:46 2022 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Wed Jul 13 11:20:09 2022 +0100
@@ -14,13 +14,21 @@
 
 local clients = module:open_store("oauth2_clients", "map");
 
-local function filter_scopes(request_jid, requested_scope_string) --luacheck: ignore 212/requested_scope_string
-	-- We currently don't really support scopes, so override
-	-- to whatever real permissions the user has
-	if usermanager.is_admin(request_jid, module.host) then
-		return "prosody:scope:admin";
+local function filter_scopes(username, host, requested_scope_string)
+	if host ~= module.host then
+		return usermanager.get_jid_role(username.."@"..host, module.host).name;
 	end
-	return "prosody:scope:default";
+
+	if requested_scope_string then -- Specific role requested
+		-- TODO: The requested scope string is technically a space-delimited list
+		-- of scopes, but for simplicity we're mapping this slot to role names.
+		local user_roles = usermanager.get_user_roles(username, module.host);
+		if user_roles[requested_scope_string] then
+			return requested_scope_string;
+		end
+	end
+
+	return usermanager.get_user_default_role(username, module.host).name;
 end
 
 local function code_expires_in(code)
@@ -81,7 +89,7 @@
 	end
 
 	local granted_jid = jid.join(request_username, request_host, request_resource);
-	local granted_scopes = filter_scopes(granted_jid, params.scope);
+	local granted_scopes = filter_scopes(request_username, request_host, params.scope);
 	return json.encode(new_access_token(granted_jid, granted_scopes, nil));
 end
 
@@ -99,7 +107,7 @@
 		return oauth_error("invalid_client", "incorrect credentials");
 	end
 
-	local granted_scopes = filter_scopes(granted_jid, params.scope);
+	local granted_scopes = filter_scopes(client_owner, client_host, params.scope);
 
 	local code = uuid.generate();
 	local ok = codes:set(params.client_id .. "#" .. code, {