Issue with AreExpectedScopesPresentAsync (IntrospectionResponseGenerator) when apiScopes are empty

[aletc1]

I migrated from v3 to v4 (latest verstion) and I have some reference token's already generated as "Personal Access Tokens" (an access token with a long duration/expiration).

The issue is that those tokens have "scope": "" and in the Identity database we do not have apiScopes defined (since we were using the audience to validate the access and not scopes).

The workaround I did was to create a new IntrospectionResponseGenerator with the following code, but I think that this change should be incorporated into the IdentityServer4 source code:

        protected override async Task<bool> AreExpectedScopesPresentAsync(IntrospectionRequestValidationResult validationResult)
        {
            var apiScopes = validationResult.Api.Scopes;
            var tokenScopes = validationResult.Claims.Where(c => c.Type == JwtClaimTypes.Scope);

            var tokenScopesThatMatchApi = tokenScopes.Where(c => apiScopes.Contains(c.Value));

            var result = false;

            if (!apiScopes.Any() || tokenScopesThatMatchApi.Any())
            {
                // at least one of the scopes the API supports is in the token
                result = true;
            }
            else
            {
                // no scopes for this API are found in the token
                Logger.LogError("Expected scope {scopes} is missing in token", apiScopes);
                await Events.RaiseAsync(new TokenIntrospectionFailureEvent(validationResult.Api.Name, "Expected scopes are missing", validationResult.Token, apiScopes, tokenScopes.Select(s => s.Value)));
            }

            return result;
        }

Basically, just added the !apiScopes.Any() condition. I think if you don't define any scopes in the API, then is OK to say that are expected scopes are present.