From 07e51e8232c427a1659cbe5a1c7a299c162b6dce Mon Sep 17 00:00:00 2001
From: "antoine.leveugle" <antoine.leveugle@gmail.com>
Date: Tue, 27 Jun 2017 17:42:36 +0200
Subject: [PATCH] fix: use AccessData scope instead of AccessRequest scope

In order to be able to modify the scopes list in Storage.SaveAccess, in case of the client tried to get unauthorized scopes.
In the rfc6749#section-3.3: "If the issued access token scope is different from the one requested by the client, the authorization server MUST include the "scope" response parameter to inform the client of the actual scope granted."
---
 access.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/access.go b/access.go
index 3871b8c..178f0e0 100644
--- a/access.go
+++ b/access.go
@@ -521,8 +521,8 @@ func (s *Server) FinishAccessRequest(w *Response, r *http.Request, ar *AccessReq
 		if ret.RefreshToken != "" {
 			w.Output["refresh_token"] = ret.RefreshToken
 		}
-		if ar.Scope != "" {
-			w.Output["scope"] = ar.Scope
+		if ret.Scope != "" {
+			w.Output["scope"] = ret.Scope
 		}
 	} else {
 		w.SetError(E_ACCESS_DENIED, "")