OAuth2 introspection cannot identify 'scope' in token

ExpressGateway / express-gateway

A microservices API Gateway built on top of Express.js

https://www.express-gateway.io

Apache License 2.0

2.97k stars 344 forks source link

OAuth2 introspection cannot identify 'scope' in token #1002

Closed BrunoVillanova closed 4 years ago

BrunoVillanova commented 4 years ago

OAuth2 Introspection policy was only expecting a 'scopes' in OAuth2 provider token response. Some OAuth2 provider implementations use 'scope' field name causing the token scopes verification to fail. I've added the possibility to work with OAuth2 providers that use both 'scope' and 'scopes' as name of the scopes field token.

XVincentX commented 4 years ago

This is a tricky one, I'm going to have to look into this before merging.

As far as I remember, the standard is clear about the field name, that is why the field is only one and not both.

BrunoVillanova commented 4 years ago

Hi Vicent,

I took a look and the doc says the correct is ‘scope’, please take a look: https://tools.ietf.org/html/rfc6749#section-3.3.

Thank you.

XVincentX commented 4 years ago

Looks legit. Thanks for spotting this.

BrunoVillanova commented 4 years ago

It was a pleasure to contribute. Thank you for merging it.