Token request sends 'scope' parameter on authorisation code grant flow
Hello !
According to the spec, the token request should not contains the scope
parameter when exchanging the authorisation code grand flow for a token.
When looking at the TokenRequest
, it doesn’t seems to check what kind of grant it is and is adding the scope
to the request no matter what.
It is indeed possible to manage this at the usage of the library, by not adding the scope
to the TokenRequest when the grant is not the client credential flow for example. Although I personally find this responsibility to be more suitable in the library rather than in each clients of the library.
IMHO, the library should not end up making requests that are not spec compliant.
In the meantime, we will fix it in our usage of the nimbus library but thought it would be a nice safety net to add in the library itself.
Comments (7)
-
reporter -
reporter - edited description
-
- changed status to open
Hi Quentin,
You're right, the scope shouldn't be there.
https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
I think we don't have a test for this and that's why this bug has slipped through.
If you already have a good idea how this can be fixed, reliably and with clean code, please submit a PR or a attach a patch.
-
reporter The PR can be found here: https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/pull-requests/32
-
Thanks, we’ll review it!
-
reporter - changed status to resolved
Thanks for the quick review!
-
You’re welcome.
TokenRequest.parse
received a check to reject requests with aninvalid_request
error when there is a scope parameter not permitted by the grant type.version 11.7 (2023-11-27) * Adds a ParameterRequirement enumeration. * The GrantType adds a method returning the scope parameter requirement in token requests. * TokenRequest.toHTTPRequest must not include a scope parameter with an authorisation code grant or other OAuth 2.0 grants that don't allow it (iss #450). * TokenRequest.parse must reject requests with a scope parameter that isn't allowed according to the grant type with an invalid_request error (iss #450).
The new release is not on Maven Central. Thanks for the contribution!
- Log in to comment
I could potentially contribute directly in the lib but would like first to see if you are ok with that kind of new behaviour