supported scopes are used as default scopes

[MarioHoberg]

If I got it correctly, when a token request (e.g.) with a client_crendentials grant and without scope is received, a token for all configured scopes is granted.

See code around https://github.com/FriendsOfSymfony/oauth2-php/blob/master/lib/OAuth2.php#L846

RFC6749 3.3. seems to allow for arbitrary defaults, but IMHO a library limiting the default to all available scopes is bad practice.

I suggest to fallback to an empty scope and maybe support a configurable default.

[rcwsr]

I'm also having this issue. Is it just a case of removing 'scope' => $this->getVariable(self::CONFIG_SUPPORTED_SCOPES, null) ?

[bropp]

Also having this issue. Only want to grant scopes when they are explicitly passed.

[Jwilsonps]

+1