Overview#Implicit Scopes (also referred to as Privileged Scope) are OAuth Scopes granted by the Authorization Server based on Authorization Policy for Resource Owner, or a the OAuth Client on Resource Owner’s behalf and may be a Trust Elevation event
The Implicit Scopes may be granted based on the:Resources that are publicly available for any Authenticated Resource Owner that is also a customer.
When the Resource Owner is utilizing Social Login the Authorization Server may determine this user is also a Customer. The Authorization Policy says that any Customer may be granted the "read_premium" OAuth Scope. So the Authorization Server would grant the Implicit Scopes "read_premium". An application may have some Resources that are publicly available for any Authenticated Resource Owner.
A "read" Implicit Scopes could be granted in the Access Token without being requested.acr implies how the Authentication Method used. The Authorization Server could grant some "elevated" OAuth Scopes based on the Authorization Policy and the Multi-Factor Authentication used.