diff --git a/oauth3.issuer.js b/oauth3.issuer.js
index 3d63c71..6571c91 100644
--- a/oauth3.issuer.js
+++ b/oauth3.issuer.js
@@ -371,8 +371,8 @@ OAUTH3.authn.resourceOwnerPassword = function (directive, opts) {
 OAUTH3.authz = {};
 OAUTH3.authz.scopes = function (providerUri, session, clientParams) {
   var clientUri = OAUTH3.uri.normalize(clientParams.client_uri || OAUTH3._browser.window.document.referrer);
-  var scope = clientParams.scope || 'oauth3_authn';
-  if ('oauth3_authn' === scope) {
+  var scope = clientParams.scope || [ 'authn@oauth3.org' ];
+  if ('authn@oauth3.org' === scope.toString()) {
     // implicit ppid grant is automatic
     console.warn('[security] fix scope checking on backend so that we can do automatic grants');
     // TODO check user preference if implicit ppid grant is allowed