According to https://tools.ietf.org/html/rfc6749#page-40, although a client may request a list of scopes during the authorise call the authorization server may return reduced set of scopes.
Therefore with each area where the list of available scopes may be reduced we should return the reduced list rather than failing the authorization request outright.
By accepting the scopes list in the response from this callback we allow the implementor the flexibility to work this way.
Copied from original issue: Humanstate/mojolicious-plugin-oauth2-server#5
From @mrenvoize on February 22, 2017 13:34
According to https://tools.ietf.org/html/rfc6749#page-40, although a client may request a list of scopes during the authorise call the authorization server may return reduced set of scopes.
Therefore with each area where the list of available scopes may be reduced we should return the reduced list rather than failing the authorization request outright.
By accepting the scopes list in the response from this callback we allow the implementor the flexibility to work this way.
Copied from original issue: Humanstate/mojolicious-plugin-oauth2-server#5