"If the issued access token scope is different from the one requested by the client, the authorization server MUST include the "scope" response parameter to inform the client of the actual scope granted. If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope."
RFC 7591 Section 2 allows a dynamic client registration to include a "scope" parameter.
"String containing a space-separated list of scope values (as described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client can use when requesting access tokens. The semantics of values in this list are service specific. If omitted, an authorization server MAY register a client with a default set of scopes."
Unless there's something more definitive that says that the registered scopes are supposed to become the default for that client, I think we ought to clarify that the token request needs to include (the relevant subset of) them explicitly.
Following Slack discussion yesterday...
RFC 6749 Section 3.3 allows that the "scope" is optional in a token request.
RFC 7591 Section 2 allows a dynamic client registration to include a "scope" parameter.
Unless there's something more definitive that says that the registered scopes are supposed to become the default for that client, I think we ought to clarify that the token request needs to include (the relevant subset of) them explicitly.