- changed status to open
Regression in token request parsing
Issue #452
resolved
With #450 , a check was added to return an invalid request when a scope parameter is added to the request. However, https://datatracker.ietf.org/doc/html/rfc6749#section-3.2 states The authorization server MUST ignore unrecognized request parameters.
An unexpected scope parameter should IMHO be treated as an unrecognized request parameter and therefore be ignored. The current implementation breaks several of our integrations as many libraries seem to include a scope parameter with this request.
Comments (2)
-
-
- changed status to resolved
Fixed: 85cc701b9a12cf5832df09886302077b2a4b7f75
Release:
version 11.7.1 (2023-12-08) * TokenRequest.parse must ignore the scope parameter when it is not allowed by the grant type. In version 11.7 TokenRequest introduced strict checking which breaks requests with non-compliant clients (iss #452). * Updates to net.minidev:json-smart:2.5.0 * Updates com.nimbusds:nimbus-jose-jwt:9.37.3 * Updates to com.google.crypto.tink:tink:1.12.0 * Updates to BouncyCastle 1.77
- Log in to comment
Thanks for the feedback. The change will be edited to ignore the scope.