When the token endpoint verifies the given authorization code at the authorization endpoint, and the endpoint does not return any scope parameter, no access token should be issued. This is because someone might be trying to obtain an access token from an authorization code that was obtained for authentication (response_type=id) only.
As per Access Token Scope from The OAuth 2.0 Authorization Framework, empty scopes are invalid. IndieAuth can piggyback on this requirement to separate response_type=id (Authentication) and response_type=code (Authorization) flows.
When the token endpoint verifies the given authorization code at the authorization endpoint, and the endpoint does not return any
scope
parameter, no access token should be issued. This is because someone might be trying to obtain an access token from an authorization code that was obtained for authentication (response_type=id
) only.As per Access Token Scope from The OAuth 2.0 Authorization Framework, empty scopes are invalid. IndieAuth can piggyback on this requirement to separate
response_type=id
(Authentication) andresponse_type=code
(Authorization) flows.(As per discussion in chat.)