xmlgrrl
commented
7 years ago Did Justin mean "also non-null", or did he mean "also null"?
Gluu first gets a token with no scopes, and then adds scopes to it. Is that first token a true RPT? It doesn't have permissions associated with it, so this could be a sort of interim step.
It's certainly okay for a client not to pre-register for/request scopes. And we decided that it's okay for the RS to include zero scopes in its permission ticket. (Justin had made a separate comment about some inconsistency in FedAuthz about our language on this point.) So if we were serious about allowing zero scopes in RequestedScopes, then if that is null too, then it should be possible to issue a token with "nothing – that's what you wanted, and you'll like it!" But if it was non-null, that should result in a hard error. So we need to break this out into two bullets, with the two different conditions. Or the more elegant solution is to remove "is non-null" from the current last bullet, because if CandidateGrantedScopes is null and RequestedScopes is non-null, then the former is < the latter, and it would come under the third bullet. There should be only two logical bullets: = and <.
In Grant Sec 3.3.4, @jricher suggests:
""if the value of candidategrantedscopes is null..." should really only be true if the requested scopes were also non-null. Couldn't I get a token for a resource set with no scopes and have that be valid?"
The specific language in question is:
"If the value of CandidateGrantedScopes is null, the result is authorization failure and the authorization server MUST subsequently issue one of the error codes (Section 3.3.6)."