I second this. It makes no sense to require the 'csrf.token' for unauthenticated users as 'token.json' returns an empty response. There should be a way to allow csrf generation even for these types of users.
Hmmm, i don't think so. 'Adobe Granite OAuth Server Authentication Handler' exists both in 6.1 and 6.2. Also it doesn't have the 'Allowed Scopes' option.