There are two related issues in the OAuth2 Device Authorization flow when no scopes are requested.
The first issue is that when a device_authorization request is made without a scope, everything works fine, but when both authorities and scope are empty, an error is thrown that does not comply with Section 3.3 of RFC-6749. The second issue is that the error itself is reported as a client_id error rather than a scope error. Therefore, we need to resolve these two issues.
There are two related issues in the OAuth2 Device Authorization flow when no scopes are requested.
The first issue is that when a
device_authorizationrequest is made without a scope, everything works fine, but when bothauthoritiesandscopeare empty, an error is thrown that does not comply with Section 3.3 of RFC-6749. The second issue is that the error itself is reported as aclient_iderror rather than ascopeerror. Therefore, we need to resolve these two issues.SCOPEinstead ofCLIENT_IDfor access_denied in device authorization consent #19258