FriendsOfSymfony / oauth2-php

A server implementation of OAuth 2.0
MIT License
515 stars 112 forks source link

supported scopes are used as default scopes #102

Open MarioHoberg opened 7 years ago

MarioHoberg commented 7 years ago

If I got it correctly, when a token request (e.g.) with a client_crendentials grant and without scope is received, a token for all configured scopes is granted.

See code around https://github.com/FriendsOfSymfony/oauth2-php/blob/master/lib/OAuth2.php#L846

RFC6749 3.3. seems to allow for arbitrary defaults, but IMHO a library limiting the default to all available scopes is bad practice.

I suggest to fallback to an empty scope and maybe support a configurable default.

rcwsr commented 6 years ago

I'm also having this issue. Is it just a case of removing 'scope' => $this->getVariable(self::CONFIG_SUPPORTED_SCOPES, null) ?

bropp commented 6 years ago

Also having this issue. Only want to grant scopes when they are explicitly passed.

Jwilsonps commented 4 years ago

+1