We are migrating from GW 9.x  and OTK 4.1 to GW 10.1 and OTK 4.4. We have noticed one significant change of behavior - in the authorization code flow, the authorize call will now not end with 'invalid_scope' error if a scope not defined in the application properties is requested.

Instead, it would proceed and set scope 'oob' for the login page. We have tested with the default OTK installation to make sure this is not caused by some modifications done by us.

Is this expected behavior?

Release : 10.1

Component :

If there is no scope defined on the client or application  the code will skip the scope verification which is also the case in previous versions of Oauth .

This is expected behavior