Authorization Endpoint should always set scopes for response_type=code requests.

[Zegnat]

As per Access Token Scope from The OAuth 2.0 Authorization Framework there must always scopes defined in the authorization flow:

If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope.  The authorization server SHOULD
document its scope requirements and default value (if defined).

The Authorization Endpoint should only give out an access code for response_type=code-requests if scopes have been provided or a default list could be used.

IndieAuth can piggyback on this OAuth requirement to separate response_type=id (Authentication) and response_type=code (Authorization) flows.

(As per discussion in chat.)

[aaronpk]

I've marked the scope as optional, and required that auth servers set a default if the client does not set one. I believe that addresses the issue here.