Uploaded image for project: 'PUBLIC - OAuth2'
  1. PUBLIC - OAuth2
  2. OAUTH2-172

Authorization Code grant flow is not honoring scope narrow down

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: Master, 1.0-portal_7.1.0
    • Fix Version/s: Master, 1.0-portal_7.1.0
    • Component/s: None
    • Labels:

      Description

      When using authorization code grant, if the client wants to narrow down the available scopes for that token the request is ignored and all assigned scopes are granted and returned for the token.
      Other grants work.

      Steps to reproduce:
      1. Create an application and assign more than one resource scope to it.
      2. Get a token using authorization code grant. When asking for the authorization specify only one of the assignes scopes.
      3. Finish the flow

      Expected result:
      the token response should only contain the requested scope.

      Actual result:
      the token response contains all the assigned scopes instead of the requested one.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Packages

                  Version Package
                  Master
                  1.0-portal_7.1.0