diff --git a/app/Models/OAuth2/Client.php b/app/Models/OAuth2/Client.php
index 5f18f02d..592f841b 100644
--- a/app/Models/OAuth2/Client.php
+++ b/app/Models/OAuth2/Client.php
@@ -426,6 +426,14 @@ class Client extends BaseEntity implements IClient
         $this->client_type = $this->infereClientTypeFromAppType($this->application_type);
     }
 
+    /**
+     * @return bool
+     */
+    public function canRequestRefreshTokens():bool{
+        return $this->getApplicationType() == IClient::ApplicationType_Native ||
+            $this->getApplicationType() == IClient::ApplicationType_Web_App;
+    }
+
     /**
      * @param string $app_type
      * @return string
diff --git a/app/Models/OAuth2/Factories/ClientFactory.php b/app/Models/OAuth2/Factories/ClientFactory.php
index db18acaf..577e6cef 100644
--- a/app/Models/OAuth2/Factories/ClientFactory.php
+++ b/app/Models/OAuth2/Factories/ClientFactory.php
@@ -39,11 +39,8 @@ final class ClientFactory
         foreach ($scope_repository->getDefaults() as $default_scope) {
             if
             (
-                $default_scope->getName() === OAuth2Protocol::OfflineAccess_Scope &&
-                !(
-                    $client->getApplicationType() == IClient::ApplicationType_Native ||
-                    $client->getApplicationType() == IClient::ApplicationType_Web_App
-                )
+                $default_scope->getName() === OAuth2Protocol::OfflineAccess_Scope
+                && !$client->canRequestRefreshTokens()
             ) {
                 continue;
             }
diff --git a/app/Services/OAuth2/ClientService.php b/app/Services/OAuth2/ClientService.php
index bcdfc7f7..9d9887bd 100644
--- a/app/Services/OAuth2/ClientService.php
+++ b/app/Services/OAuth2/ClientService.php
@@ -373,11 +373,17 @@ final class ClientService extends AbstractService implements IClientService
         return $this->tx_service->transaction(function() use ($id, $scope_id){
             $client = $this->client_repository->getById($id);
             if (is_null($client) || !$client instanceof Client) {
-                throw new EntityNotFoundException(sprintf("client id %s does not exists!", $id));
+                throw new EntityNotFoundException(sprintf("Client id %s does not exists.", $id));
             }
             $scope = $this->scope_repository->getById($scope_id);
             if (is_null($scope) || !$scope instanceof ApiScope) {
-                throw new EntityNotFoundException(sprintf("scope id %s does not exists!", $scope_id));
+                throw new EntityNotFoundException(sprintf("Scope id %s does not exists.", $scope_id));
+            }
+            if($scope->getName() == OAuth2Protocol::OpenIdConnect_Scope){
+                throw new ValidationException(sprintf("Scope %s can not be removed.",  OAuth2Protocol::OpenIdConnect_Scope));
+            }
+            if($scope->getName() == OAuth2Protocol::OfflineAccess_Scope && $client->canRequestRefreshTokens()){
+                throw new ValidationException(sprintf("Scope %s can not be removed.",  OAuth2Protocol::OfflineAccess_Scope));
             }
             $client->removeScope($scope);
             $client->setEditedBy($this->auth_service->getCurrentUser());