Verifying access token scopes

[hedleysmith]

I've run into an issue in a few instances where an access token is not being verified by AccessToken.verify and the "Insufficient scope" error is being thrown, it's coming from this line:

https://github.com/anvilresearch/connect-nodejs/blob/master/lib/AccessToken.js#L160

I wonder if this check is too restrictive, e.g if an access token has the scope:

"openid email profile phone"

And the Anvil Connect instance is configured with the scope:

"openid profile phone email"

Equally if an access token has any additional scopes the verification will also fail.

Is this by design? Should the scope verification match the exact string, or could we explode the scopes string into components and check that the JWT scopes match on a per-scope basis? Or maybe I'm missing something about this scope verification check entirely?

Happy to provide a patch for this but wanted to check up on the motivation for this design beforehand.