Problem statement
Our documentation indicates that the requested scopes:
can be found in the event.transaction.requested_scopes. This only appears to be the case for more transactional-based authorization flows such as Implicit, PKCE, and Authorization Code Flow.
Client Credential, Refresh Token, and ROPG flows do not populate the event.transaction.requested_scopes object within an Action.
Solution
For the Client Credential, Refresh Token And ROPG flows the scopes can instead be accessed within the event.request.body.scope object.