No authentication header passed by wicked when the scope is not present in the request.

[fromanu]

The following scenario was tested:

• Register new application.
• Subscribe (using the Client Credentials flow) to the API named testAPI.
• Assigned someScope as the allowed scope for this subscription.
• Send a request to the token endpoint, but w/o the scope parameter in the body of the request.
• Use the retrieved token to send a request to testAPI.

Result:

• No authentication header passed by wicked.

Expected:

• Wicked sends the allowed scope(s) in the header to the backend API (e.g. x-authenticated-scope=[someScope]) even if there is no scope parameter in the body of the request.

[DonMartin76]

This is standard behaviour of Kong - if a scope was not requested, the X-Authenticated-Scope header is not sent along with the resulting access token. Non-presence of this header means empty scope.

What would your expected behaviour be? The "assigned scope" is an assignment of "allowed scopes". Other scopes will not be granted, but it does not mean that you automatically get a grant for this scope with the access token.

[DonMartin76]

Closing this - it looks as if the question was answered. If there are further things, please open a new issue.