The spec also states that the `username` and `password` must be sent as form data (so, no JSON here).

### `scope` { #scope }

The spec also says that the client can send another form field "`scope`".

The form field name is `scope` (in singular), but it is actually a long string with "scopes" separated by spaces.

Each "scope" is just a string (without spaces).

They are normally used to declare specific security permissions, for example:

### `scope` { #scope }

La especificación también indica que el cliente puede enviar otro campo del formulario llamado "`scope`".

El nombre del campo del formulario es `scope` (en singular), pero en realidad es un string largo con "scopes" separados por espacios.

Cada "scope" es simplemente un string (sin espacios).

                            "username": {"title": "Username", "type": "string"},
                            "password": {"title": "Password", "type": "string"},
                            "scope": {
                                "title": "Scope",
                                "type": "string",
                                "default": "",
                            },
                            "client_id": {

 * to be lightweight yet powerful, supporting various scopes of object lifecycle from
 * singleton instances to mojo-execution-scoped beans.
 * <p>
 * Key features include:
 * <ul>
 *   <li>Constructor, method, and field injection</li>
 *   <li>Qualifiers for distinguishing between beans of the same type</li>
 *   <li>Multiple scopes (Singleton, Session, and MojoExecution)</li>

規範也說明 `username` 與 `password` 必須以表單資料傳送（也就是這裡不能用 JSON）。

### `scope` { #scope }

規範也說用戶端可以再送一個表單欄位「`scope`」。

欄位名稱是單數的 `scope`，但實際上是由多個以空白分隔的「scopes」組成的一長串字串。

每個「scope」就是一個（不含空白的）字串。

它們通常用來宣告特定的權限，例如：

- `users:read` 或 `users:write` 是常見的例子
- `instagram_basic` 用在 Facebook / Instagram
- `https://www.googleapis.com/auth/drive` 用在 Google

/// info

在 OAuth2 裡，「scope」只是用來宣告特定所需權限的一個字串。

不論裡面是否包含像 `:` 之類的字元，或是否是一個 URL，都沒差。

    )
    own_oauth_scopes: list[str] = []
    if isinstance(depends, params.Security) and depends.scopes:
        own_oauth_scopes.extend(depends.scopes)
    return get_dependant(
        path=path,
        call=depends.dependency,
        scope=depends.scope,
        own_oauth_scopes=own_oauth_scopes,
    )


def get_flat_dependant(
    dependant: Dependant,
    *,

	scopes := db.Statement.scopes
	db.Statement.scopes = nil
	for _, scope := range scopes {
		db = scope(db)
	}
	return db
}

// Preload preload associations with given conditions
//
//	// get all users, and preload all non-cancelled orders
//	db.Preload("Orders", "state NOT IN (?)", "cancelled").Find(&users)
func (db *DB) Preload(query string, args ...interface{}) (tx *DB) {
	tx = db.getInstance()

    return {"token": credentials, "scopes": security_scopes.scopes}


@app.get("/get-credentials")
def get_credentials(
    credentials: Annotated[dict, Security(process_auth, scopes=["a", "b"])],
):
    return credentials


@app.get(
    "/parameterless-with-scopes",
    dependencies=[Security(process_auth, scopes=["a", "b"])],
)
def get_parameterless_with_scopes():
    return {"status": "ok"}


@app.get(

### `scope` { #scope }

Spesifikasyon, client’ın "`scope`" adlı başka bir form alanı da gönderebileceğini söyler.

Form alanının adı `scope`’tur (tekil), ama aslında boşluklarla ayrılmış "scope"’lardan oluşan uzun bir string’dir.

Her bir "scope" sadece bir string’dir (boşluk içermez).

### `scope` { #scope }

La spécification indique aussi que le client peut envoyer un autre champ de formulaire « scope ».

Le nom du champ de formulaire est `scope` (au singulier), mais il s'agit en fait d'une longue chaîne contenant des « scopes » séparés par des espaces.

Chaque « scope » n'est qu'une chaîne (sans espaces).