When a request for a device code to the /devicecode endpoint does not specify the list of scopes, then the subsequent request to the /token endpoint returns 500 server error
{
"error": "server_error",
"error_description": "Internal Server Error"
}
If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).
Since in other flows IAM returns all the scopes allowed for the client when the scope parameter is not specified, I suggest to use the same approach for the device code flow.
When a request for a device code to the
/devicecode
endpoint does not specify the list of scopes, then the subsequent request to the/token
endpoint returns 500 server errorThe OAuth specification says
Since in other flows IAM returns all the scopes allowed for the client when the scope parameter is not specified, I suggest to use the same approach for the device code flow.