I have an app that uses refresh tokens. When using the refresh token to get a new access token, I’m noticing that some users have an empty scope on the access token, and some have a scope that matches the scopes used during login.
All users are using the same app to log in. So all users leverage the same login configuration and parameters. What could be different on each user that would make the scopes be different on these new access tokens?