diff --git a/lib/doorkeeper/oauth/password_access_token_request.rb b/lib/doorkeeper/oauth/password_access_token_request.rb
index 4ee2bfcd5..6e83dc6a4 100644
--- a/lib/doorkeeper/oauth/password_access_token_request.rb
+++ b/lib/doorkeeper/oauth/password_access_token_request.rb
@@ -15,13 +15,15 @@ class PasswordAccessTokenRequest
       :client_secret,
       :grant_type,
       :username,
-      :password
+      :password,
+      :scope
     ]
 
     validate :attributes,     :error => :invalid_request
     validate :grant_type,     :error => :unsupported_grant_type
     validate :client,         :error => :invalid_client
     validate :resource_owner, :error => :invalid_resource_owner
+    validate :scope,          :error => :invalid_scope
 
     attr_accessor *ATTRIBUTES
     attr_accessor :resource_owner
@@ -29,6 +31,7 @@ class PasswordAccessTokenRequest
     def initialize(owner, attributes = {})
       ATTRIBUTES.each { |attr| instance_variable_set("@#{attr}", attributes[attr]) }
       @resource_owner = owner
+      @scope ||= Doorkeeper.configuration.default_scope_string
       validate
     end
 
@@ -91,12 +94,17 @@ def client
 
     def create_access_token
       @access_token = Doorkeeper::AccessToken.create!({
-        :application_id    => client.id,
-        :resource_owner_id => resource_owner.id,
-        :expires_in        => configuration.access_token_expires_in
+        :application_id     => client.id,
+        :resource_owner_id  => resource_owner.id,
+        :scopes             => @scope,
+        :expires_in         => configuration.access_token_expires_in
       })
     end
 
+    def has_scope?
+      Doorkeeper.configuration.scopes.all.present?
+    end
+
     def validate_attributes
       grant_type.present?
     end
@@ -105,6 +113,11 @@ def validate_client
       !!client
     end
 
+    def validate_scope
+      return true unless has_scope?
+      ScopeChecker.valid?(scope, configuration.scopes)
+    end
+
     def validate_grant_type
       grant_type == 'password'
     end