The requested scope is only checked if it exists if the clientScope is empty.
But if both client and requested scopes are set and equal, it isn't checked if the scopes are existing in the storage at all.
Is this in intentionally as the scope which is set in the clients entries should exists in the scope storage?
I just wonder because when some scope is removed from the storage the clients with that scope are still working.
I would assume that this would return also an invalid_scope error.
The client scope in the AuthorizeController::validateAuthorizeRequest isn't checked if it exists in the given storage.
https://github.com/bshaffer/oauth2-server-php/blob/5a0c8000d4763b276919e2106f54eddda6bc50fa/src/OAuth2/Controller/AuthorizeController.php#L307-L315
https://github.com/bshaffer/oauth2-server-php/blob/5a0c8000d4763b276919e2106f54eddda6bc50fa/src/OAuth2/Scope.php#L48-L54
The requested scope is only checked if it exists if the clientScope is empty. But if both client and requested scopes are set and equal, it isn't checked if the scopes are existing in the storage at all.
Is this in intentionally as the scope which is set in the clients entries should exists in the scope storage?
I just wonder because when some scope is removed from the storage the clients with that scope are still working. I would assume that this would return also an invalid_scope error.