Is the scope claim a string or an array of strings?

[vanillajonathan]

The RFC 7662 OAuth 2.0 Token Introspection has "scope" as a string. https://datatracker.ietf.org/doc/html/rfc7662#section-2.2

The IdentityServer4 documentation has scope as a string. https://identityserver4.readthedocs.io/en/latest/topics/resources.html#authorization-based-on-scopes

{
   "typ": "at+jwt"
}.
{
   "client_id": "mobile_app",
   "sub": "123",

   "scope": "read write delete"
}

But from IdentityServer4 I get an access token with the scope as a list of strings.

{
  "nbf": 1638269462,
  "exp": 1638273062,
  "iss": "https://localhost:5001",
  "aud": "api",
  "client_id": "example",
  "sub": "123",
  "auth_time": 1638269460,
  "idp": "local",
  "scope": [ "openid", "profile", "email", "offline_access" ],
  "amr": [ "pwd" ]
}

Is this a bug?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.