Access Token Scope not meeting oAuth 2 specification requirements?

[cvigorsICBF]

Hi,
In the client credentials docs it has the scope included in the request, but only the token_type, expires_in and access_token is included in the response. The scope is not included in the response.

What happens if a client requests a scope that they are not allowed access too?

According to the oauth2 specification , it states that:
"If the issued access token scope is different from the one requested by the client, the authorization server MUST include the "scope" response parameter to inform the client of the actual scope granted."

For example

A client has been granted access to scope “scope1”, but requests “scope1 scope2”

{ "grant_type": "client_credentials", "client_id" : "test", "client_secret" : "test_secret", "scope" : "scope1 scope2" }
The server responds with the expected fields:
{ "token_type": "Bearer", "expires_in": 86400, "access_token": "eyJ0eXAiOiJ........" }

There is nothing in the response to indicate to the client what scopes the access_token can be used for.

Should the response actually be:
{ "token_type": "Bearer", "expires_in": 86400, "access_token": "eyJ0eXAiOiJ........", "scope": "scope1" }

[Sephster]

Thanks for reporting. This does appear to not conform to the specs. Will flag this as a bug. Thanks for reporting

[Sephster]

Realised this is a duplicate of #793 so closing in favour of that. Thank you for reporting though @cvigorsICBF