>Any ideas? :-)
The first that comes to mind is to program your API to use `/introspection` endpoint to validate access token it receives from the native app. Request to it would look like this:
```
POST /oxauth/restv1/introspection HTTP/1.1
Authorization: Bearer 104789cb-4a85-403e-823a-f42f24b39ff7
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: mytrue.host.loc
Connection: close
User-Agent: Paw/3.1.5 (Macintosh; OS X/10.12.6) GCDHTTPRequest
Content-Length: 71
token=104789cb-4a85-403e-823a-f42f24b39ff7&token_type_hint=access_token
```
Its response contains scopes in it:
```
{"active":true,"scopes":["openid","profile","uma_protection","email"],"client_id":"@!84B1.7441.57C3.98B0!0001!76A2.0919!0008!8BE3.A330.6FFC.6446","username":null,"token_type":"bearer","exp":1526604503,"iat":1526604203,"sub":"","aud":"@!84B1.7441.57C3.98B0!0001!76A2.0919!0008!8BE3.A330.6FFC.6446","iss":"https://mytrue.host.loc","jti":null,"acr_values":null}
```
>Is there any way to get the requested scopes included in the identity_token?
Spec doesn't mention a standard claim like this at all, unfortunately. Still, in case of Gluu, there is a way (or sort of a hack) which allows you to push a custom claim with any contents to `id_token`, even for client credentials flow. We did something similar in the past for a customer, the idea is that you write [a dynamic scope script](https://gluu.org/docs/ce/3.1.3/admin-guide/custom-script/#dynamic-scopes) which does it, and then enable a legacy mode of `id_token` generation which includes all possible claims in the JWT. But as it's rather non-standard configuration and involves scripting tasks, it's a bit out of scope of Community Support, I'm afraid. If you'll chose to follow this lead, you'll be mostly on your own, unless you are ready to sign a support contract with Gluu.