--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu Mar 23 16:19:09 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu Mar 23 16:28:08 2023 +0100
@@ -366,9 +366,14 @@
 			};
 		end
 
+		local scope = array():append(form):filter(function(field)
+			return field.name == "scope";
+		end):pluck("value"):concat(" ");
+
 		user.token = form.user_token;
 		return {
 			user = user;
+			scope = scope;
 			consent = form.consent == "granted";
 		};
 	end
@@ -522,11 +527,14 @@
 		return render_page(templates.login, { state = auth_state, client = client });
 	elseif auth_state.consent == nil then
 		-- Render consent page
-		return render_page(templates.consent, { state = auth_state, client = client }, true);
+		return render_page(templates.consent, { state = auth_state; client = client; scopes = parse_scopes(params.scope) }, true);
 	elseif not auth_state.consent then
 		-- Notify client of rejection
 		return error_response(request, oauth_error("access_denied"));
 	end
+	-- else auth_state.consent == true
+
+	params.scope = auth_state.scope;
 
 	local user_jid = jid.join(auth_state.user.username, module.host);
 	local client_secret = make_client_secret(params.client_id);