Repeating some of what I put into the code review of https://github.com/python-social-auth/social-core/pull/169
I suspect that the default OAuth scope is actually scope.always. Check out https://secure.phabricator.com/D15621 , which removed previous scopes offline_access and whoami as no longer needed, but added a new one.
Phabricator has no published defined scopes, as noted at https://github.com/ofbeaton/oauth2-phabricator#managing-scopes , and "This section has not been written yet." on https://secure.phabricator.com/book/phabcontrib/article/using_oauthserver/ .
If true, this deserves special mention as Phabricator is very odd in that regard; not many other OAuth providers have no scopes at all.
If we do figure out the scopes, maybe there is a documentation task to be done ... :P
But as I mentioned above, it looks like the scope scope.always exists, and I wouldnt be surprised if the myriad other scopes in phabricator also work via OAuth.
A bit more investigation needed (however the GCI task criteria have been met, and so it is approved).
Looking at the current source of Phabricator on GitHub, the "required" scope for user.whoami is referring to self::SCOPE_ALWAYS, therefore the docs for https://github.com/ofbeaton/oauth2-phabricator should be updated to list that scope.
Same applies to the PR made by me for python-social-auth: https://github.com/python-social-auth/social-core/pull/169
It applies to Phabricator in general, as the docs at Phabricator are incomplete here: https://secure.phabricator.com/book/phabcontrib/article/using_oauthserver/
I also noticed that they've disabled registration for new contributors, so I am forwarding the question to @jayvdb on how to update the docs at Phabricator.
Edit: The research will save the work for us later at Wikimedia :)