An OAuth2.0 login flow is designed to give a consuming application an access_token which can be used to make requests on behalf of a particular user.
Rather than always request a token that can be used to access everything the user can access, a consuming application can request a certain scope of permissions (e.g. maybe an app only needs to list media and doesn’t need to be able to modify anything).
You may have seen this idea in play if you’ve ever used a Google Apps or GMail account to log into a third party service:
MediaCore’s APIv2 does not currently support scopes, though they are a planned addition in the future.
In the mean time, you should omit the scope parameter from all requests. This is equivalent to asking for the user’s full set of permissions, and will continue to work as such after more granular scopes are introduced to the API.