In UAA There are two Concepts, Authority and Scope.

These concepts seems to overlap. I would like to know exact difference and purpose

For example , oauth.login

Scopes define permissions which are associated with users. These are associated with an OAuth Clients for grant types involving users which are: auth_code, password and implicit. The signifies what the application is allowed to access on the users behalf (referred to as delegated authorization)

Authorities are permissions associated with the OAuth Client when the application is acting on its own behalf and there is no user involvement. This is associated with the grant_type of Client_Credentials. The scenario is Application or API trying to access a resource with its own credentials without user involvement.

In UAA , oauth.login is a system level permission and was being used by the legacy implementation of the login-server project (When UAA and Login Server were separate components). This permission allows admin level access for login server.