My issue is with line 146 in ZF\MvcAuth\Authentication\DefaultAuthenticationListner
if ($this->oauth2Server->verifyResourceRequest($oauth2request))

The verifyResourceRequest method has a $scope parameter that isn't getting passed to the oauth server in this line so it is assumed that any scope is vaild for this request as $scope defaults to null.

I'm aware that at this point it would be necessary to identify what scope should be required for this request and pass it through to the verifyResourceRequest method so that the token can be checked for this scope.

Is the DefaultAuthenticationListner designed to be overridden so that I can implement functionality to check which scope is required for this request or am I missing something?

Originally posted by @CymruKakashi at zfcampus/zf-apigility#33