Fail oauth2 grants when resulting scope is empty
- Do a Client Credentials or Password grant without specifying a scope and without any scope rules in action
- an access token is granted with an empty scope
If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope. The authorization server SHOULD document its scope requirements and default value (if defined).
We should return invalid_scope when the scope of a token is null, and let admins define a default scope with a scope rule if they want a default scope to be granted
This is a breaking change, a changelog note is needed