As per Access Token Scope from The OAuth 2.0 Authorization Framework there must always scopes defined in the authorization flow:
If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).
The Authorization Endpoint should only give out an access code for response_type=code-requests if scopes have been provided or a default list could be used.
IndieAuth can piggyback on this OAuth requirement to separate response_type=id (Authentication) and response_type=code (Authorization) flows.
I've marked the scope as optional, and required that auth servers set a default if the client does not set one. I believe that addresses the issue here.
As per Access Token Scope from The OAuth 2.0 Authorization Framework there must always scopes defined in the authorization flow:
The Authorization Endpoint should only give out an access code for
response_type=code
-requests if scopes have been provided or a default list could be used.IndieAuth can piggyback on this OAuth requirement to separate
response_type=id
(Authentication) andresponse_type=code
(Authorization) flows.(As per discussion in chat.)