The Oauth rfc6749 specifies: "If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope."
I need to implement the "fail the request" path, however, I can't (in keycloak) find a way to fail if there are no scopes in the claim. It just gives an access token with an empty scope (or the ones configured as default).