To tokens themselves don't differ based on how they are obtained unless you
want them to. No requirement to match scope to the client ID either, but again
it's up to you.
You do want to get this right. The challenge here is that your resource
servers have to get updated to support new scopes.
I would like to get the views and comments of the OAuth 2.0 IETF WG on the
following design and implementation question:
I have an application that supports both "authorization_code" and
"client_credentials" based access tokens. The application allows a client
to obtain data on a nightly basis
