Regression in token request parsing

Issue #452 resolved
Emond.Papegaaij created an issue

With #450 , a check was added to return an invalid request when a scope parameter is added to the request. However, https://datatracker.ietf.org/doc/html/rfc6749#section-3.2 states The authorization server MUST ignore unrecognized request parameters. An unexpected scope parameter should IMHO be treated as an unrecognized request parameter and therefore be ignored. The current implementation breaks several of our integrations as many libraries seem to include a scope parameter with this request.

Comments (2)

  1. Yavor Vasilev

    Fixed: 85cc701b9a12cf5832df09886302077b2a4b7f75

    Release:

    version 11.7.1 (2023-12-08)
        * TokenRequest.parse must ignore the scope parameter when it is not allowed
          by the grant type. In version 11.7 TokenRequest introduced strict
          checking which breaks requests with non-compliant clients (iss #452).
        * Updates to net.minidev:json-smart:2.5.0
        * Updates com.nimbusds:nimbus-jose-jwt:9.37.3
        * Updates to com.google.crypto.tink:tink:1.12.0
        * Updates to BouncyCastle 1.77
    
  2. Log in to comment