--- a/mod_http_oauth2/html/consent.html	Thu Mar 23 16:19:09 2023 +0100
+++ b/mod_http_oauth2/html/consent.html	Thu Mar 23 16:28:08 2023 +0100
@@ -37,6 +37,9 @@
 	</p>
 
 	<form method="post">
+		<details><summary>Requested permissions</summary>{scopes#
+			<input class="scope" type="checkbox" id="scope_{idx}" name="scope" value="{item}" checked><label class="scope" for="scope_{idx}">{item}</label>}
+		</details>
 		<input type="hidden" name="user_token" value="{state.user.token}">
 		<button type="submit" name="consent" value="denied">Deny</button>
 		<button type="submit" name="consent" value="granted">Allow</button>

--- a/mod_http_oauth2/mod_http_oauth2.lua	Thu Mar 23 16:19:09 2023 +0100
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Thu Mar 23 16:28:08 2023 +0100
@@ -366,9 +366,14 @@
 			};
 		end
 
+		local scope = array():append(form):filter(function(field)
+			return field.name == "scope";
+		end):pluck("value"):concat(" ");
+
 		user.token = form.user_token;
 		return {
 			user = user;
+			scope = scope;
 			consent = form.consent == "granted";
 		};
 	end
@@ -522,11 +527,14 @@
 		return render_page(templates.login, { state = auth_state, client = client });
 	elseif auth_state.consent == nil then
 		-- Render consent page
-		return render_page(templates.consent, { state = auth_state, client = client }, true);
+		return render_page(templates.consent, { state = auth_state; client = client; scopes = parse_scopes(params.scope) }, true);
 	elseif not auth_state.consent then
 		-- Notify client of rejection
 		return error_response(request, oauth_error("access_denied"));
 	end
+	-- else auth_state.consent == true
+
+	params.scope = auth_state.scope;
 
 	local user_jid = jid.join(auth_state.user.username, module.host);
 	local client_secret = make_client_secret(params.client_id);