1 files changed, 3 insertions, 2 deletions

diff --git a/yarns/300-end-user-auth.yarn b/yarns/300-end-user-auth.yarn
index 98295fb..e6b6e66 100644
--- a/yarns/300-end-user-auth.yarn
+++ b/yarns/300-end-user-auth.yarn
@@ -86,6 +86,7 @@ registerd, before the login process starts.
 
     GIVEN a Qvisqve configuration for "https://qvisqve"
     AND Qvisqve configuration has user account tomjon with password hunter2
+    AND Qvisqve configuration allows user tomjon scopes foo bar
     AND Qvisqve configuration has application facade
     ... with callback url https://facade/callback
     ... and secret happydays
@@ -115,7 +116,7 @@ unique, hard-to-guess value every time the user authenication starts
 anew. Note that this should probably be different from the `state`
 value from the facade (FIXME: why?).
 
-    WHEN browser requests GET /auth?response_type=code&scope=openid+read&client_id=facade&state=RANDOM&redirect_uri=https://facade/callback
+    WHEN browser requests GET /auth?response_type=code&scope=openid+foo+yo&client_id=facade&state=RANDOM&redirect_uri=https://facade/callback
     THEN HTTP status code is 200 OK
     AND Content-Type is text/html
     AND body has an HTML form with field username
@@ -179,7 +180,7 @@ this. Needs research and thinking.
     AND JSON body has field token_type, with value Bearer
     AND JSON body has field expires_in
 
-    AND access token has a scope field set to read
+    AND access token has a scope field set to foo
     AND access token has a sub field set to tomjon
 
 The authorization code can't be re-used.