According to OAuth2 RFC 6739-https://tools.ietf.org/html/rfc6749
the scopes are defined this way:
A.4. "scope" Syntax
The "scope" element is defined in Section 3.3:
scope = scope-token *( SP scope-token )
scope-token = 1*NQCHAR
NQCHAR = %x21 / %x23-5B / %x5D-7E
This is the hexa representation of the allowed characters, see http://ascii.cl/
Meaning ", /, ... are not allowed.
Apply this rule to the scope edition + add UT.