It isn't. OAuth2 really did away with AuthZ and focused on AuthN, regardless of what anyone says.

You have scopes but even those outside of the OIDC scopes are wishy washy and meaningless outside of each implementation.