2020-10-03 UTC
# Zegnat I think the only take-away from the spec is that scope is optional because sometimes people just want to validate once. And when scope was empty in the first request, you should not issue them a token at all. But that is it. So before the code exchange step you should not really care about whether scope is empty or filled in