From 092f688b0dd57021e41ba5bc4ceecf15de8bc84e Mon Sep 17 00:00:00 2001
From: Tangui Le Pense <29804907+tanguilp@users.noreply.github.com>
Date: Fri, 24 Nov 2023 16:06:09 +0300
Subject: [PATCH] Fix error when RFC9068 JWS has no scope field

---
 authlib/oauth2/rfc9068/token_validator.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/authlib/oauth2/rfc9068/token_validator.py b/authlib/oauth2/rfc9068/token_validator.py
index b11ff80b..dc152e28 100644
--- a/authlib/oauth2/rfc9068/token_validator.py
+++ b/authlib/oauth2/rfc9068/token_validator.py
@@ -140,7 +140,7 @@ def validate_token(
         # more considerations about the relationship between scope strings and resources
         # indicated by the 'aud' claim.
 
-        if self.scope_insufficient(token['scope'], scopes):
+        if self.scope_insufficient(token.get('scope', []), scopes):
             raise InsufficientScopeError()
 
         # Many authorization servers embed authorization attributes that go beyond the