TokenGenerator._get_refresh_token doesn't leave the scope attribute on self.access_token alone if the request had no scope parameter (i.e. self.scope is None).
scope
OPTIONAL. The scope of the access request as described by
Section 3.3. The requested scope MUST NOT include any scope
not originally granted by the resource owner, and if omitted is
treated as equal to the scope originally granted by the
resource owner.
TokenGenerator._get_refresh_tokendoesn't leave thescopeattribute onself.access_tokenalone if the request had noscopeparameter (i.e.self.scope is None).RFC 6749 says:
Fix to be attached shortly…