In the Conformance Test Suite (CTS) test Amending Account for An Existing Consent Scenario with PAR, the test is failing, as the scope parameter is not passed in the token response. Is this correct behaviour according to the standards?
It is correct to require the Authorization Server (AS) to return the list of granted scopes.
Currently the data standards rely on FAPI ID2 (Draft 06) which requires the scopes to be returned from the authorisation request. Note, even with FAPI 1.0 Final, the AS must return the list of granted scopes when they are different to the list of scopes requested by the client, even for integrity protected authorisation calls.
RFC6749 (OAuth 2.0 Authorization Framework) states for the token response, scope is:
OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED.