Because:
- Firefox-native OAuth flows hard-code requested scopes on the client.
ADR 0049 moves the source of truth to the auth-server: a Firefox URL
can omit scope= and the server resolves the full set from service=,
appending apps/oldsync when the user enters a password.
This commit:
- /oauth/authorization resolves scope from service= for OAuthNative
clients when scope= is omitted. Returns invalid_request(scope) for
non-native clients and invalid_request(service) for unknown or
disallowed service/client pairs.
- Server emits the full scope set per oauthServer.authorization
.serviceScopes; keysConditionalScope (apps/oldsync) is appended when
keys_jwe is in the payload, preserving today's "non-Sync browser service
+ password derives scoped keys" behavior.
- Both /authorization and /oauth/authorization responses now echo the
granted scope per RFC 6749 §5.1.
- fxa-settings threads the returned scope to fxaOAuthLogin (renamed
scopes → scope to match the OAuth spec). OAuthNativeIntegration
overrides getNormalizedScope / _scopeRequestsKeys to support the
no-URL-scope case; URL-scope-present path delegates to super.* and
is preserved..
- Adds shared OAUTH_NATIVE_CLIENT_IDS set in libs/accounts/oauth,
and creates a scopes file in functional-tests for shared scopes
closes FXA-13495