Overview #OAuth Scope Validation process MUST be performed on all OAuth Scope requests.
OAuth Scopes values that are used to request Claims and there is no guarantee that the Claims requested will be returned. The Authorization Server MAY deny some of the requested OAuth Scopes based on Authorization Policy or an the Resource Owner (End-User) MAY be given the option to have the OpenID Connect Provider decline to provide some or all information requested by a Relying Party. To minimize the amount of information that the Resource Owner is being asked to disclose, an Relying Party can elect to only request a subset of the information available.
The OAuth Client/Relying Party MUST validate the OAuth Scopes returned in the Access Token contains the necessary OAuth Scopes and the if the UserInfo Request claims match the UserInfo Response claims.