Token request sends 'scope' parameter on authorisation code grant flow

Issue #450 resolved
Quentin Castel created an issue

Hello !

According to the spec, the token request should not contains the scope parameter when exchanging the authorisation code grand flow for a token.

When looking at the TokenRequest, it doesn’t seems to check what kind of grant it is and is adding the scope to the request no matter what.

It is indeed possible to manage this at the usage of the library, by not adding the scope to the TokenRequest when the grant is not the client credential flow for example. Although I personally find this responsibility to be more suitable in the library rather than in each clients of the library.

IMHO, the library should not end up making requests that are not spec compliant.

In the meantime, we will fix it in our usage of the nimbus library but thought it would be a nice safety net to add in the library itself.

Comments (7)

  1. Quentin Castel reporter

    I could potentially contribute directly in the lib but would like first to see if you are ok with that kind of new behaviour

  2. Yavor Vasilev

    You’re welcome.

    TokenRequest.parse received a check to reject requests with an invalid_request error when there is a scope parameter not permitted by the grant type.

    version 11.7 (2023-11-27)
        * Adds a ParameterRequirement enumeration.
        * The GrantType adds a method returning the scope parameter requirement in
          token requests.
        * TokenRequest.toHTTPRequest must not include a scope parameter with an
          authorisation code grant or other OAuth 2.0 grants that don't allow it
          (iss #450).
        * TokenRequest.parse must reject requests with a scope parameter that isn't
          allowed according to the grant type with an invalid_request error (iss
          #450).
    

    The new release is not on Maven Central. Thanks for the contribution!

  3. Log in to comment