Spring Security defaultScope always returns an empty list

Describe the bug In your commit from 28. Oct https://github.com/spring-projects/spring-security/commit/26a51ee1983a70e7db5c4b65857768ffd9825a2e you changed the default behavior of AbstractWebClientReactiveOAuth2AccessTokenResponseClient.java to return the default scopes. Now an empty list is always returned.

Considering the comment, it must be a bug.

To Reproduce e.g. use spring-boot-starter-oauth2-client with spring-boot-starter-parent starting with v2.7.6

Expected behavior See comment:

As per RFC-6749 Section 5.1 Successful Access Token Response, if AccessTokenResponse.scope is empty, then default to the scope originally requested by the client in the Token Request.

Sample

// old code
Set<String> defaultScopes(T grantRequest) {
      return scopes(grantRequest);
}

// new code
Set<String> defaultScopes(T grantRequest) {
      return Collections.emptySet();
}

Comment From: sjohnr

Hi @sius, thanks for reaching out!

Please see the Impact section of this blog post for help resolving the effects of this fix. I'm going to close this issue for now as answered, but if you need any additional clarification on the blog post, please don't hesitate to ask.