Why is there a scope query parameter in the callback URL?

[valurefugl]

Which version of Duende IdentityServer are you using?
7.0.7

Which version of .NET are you using?
8.0

Describe the bug

We’ve noticed that the scope parameter is included in the callback URL after authentication in the authorization code flow, also when using PAR. This behavior seems unexpected, as scope is already handled during the authorization process and doesn’t appear to be required in the callback URL. In particular with PAR, where one of the benefits should be shorter URLs.

Wondering if this is an intentional design choice? If so, what purpose does it serve?

To Reproduce

1. Post the required parameters to the /connect/par endpoint.
2. Use the returned request_uri in the /connect/authorize URL.
3. Observe the callback URL after the user authenticates.

For example, during a PAR flow on your demo server, the callback URL is:

https://demo.duendesoftware.com/diagnostics?code=6CFBD7471D6755F314350B4A6A442EEE45EBB25B91F24B29B16355CF519AF346-1&scope=openid%20profile%20email%20api&session_state=VxipVTqEDrVw229tErqNMkP2Dsn6ZppQbPFb9ySN9Fg.A13E20C70771A4CD66F7A0487A5385CA&iss=https%3A%2F%2Fdemo.duendesoftware.com

Expected behavior

No scope query parameter in the callback URL.