Reading through this : https://tools.ietf.org/html/rfc6749#section-3.3 trying to understand scopes. According to the spec, scopes are defined in the auth server but need no
