jwt: Authorization JWT bearer shouldn't contain "scope" in "assertion"

[seliverstov-tinkoff]

Our team have used this jwt client for authorization by RFC-7523. In fact, the result "assertion" of this client has claim with a "scope", but there is no field "scope" in POST request like it described in 4.1 of RFC-7521.

I mean, request must look like this

POST /token.oauth2 HTTP/1.1
Host: authz.example.net
Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&scope=test
&assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.
eyJpc3Mi[...omitted for brevity...].
J9l-ZhwP[...omitted for brevity...]

[seliverstov-tinkoff]

i can make a pull request if you are agree with me

[osttra-j-sernbrant]

Agreed, according to https://datatracker.ietf.org/doc/html/rfc7521#section-4.1 scope should be a form parameter not in the assertion.