Affects Version/s: Master, 1.0-portal_7.1.0
When using authorization code grant, if the client wants to narrow down the available scopes for that token the request is ignored and all assigned scopes are granted and returned for the token.
Other grants work.
Steps to reproduce:
1. Create an application and assign more than one resource scope to it.
2. Get a token using authorization code grant. When asking for the authorization specify only one of the assignes scopes.
3. Finish the flow
the token response should only contain the requested scope.
the token response contains all the assigned scopes instead of the requested one.