lepture
commented
5 years ago Fixed in Authlib v0.12
Closed lyOnHub closed 5 years ago
lepture
commented
5 years ago Fixed in Authlib v0.12
lepture
commented
5 years ago Thanks for reporting.
Invalid_scope error is responded when the request contains the scope different than that assigned to the user. Will this cause interoperability problem? RFC-6749, section 3.3 states the following (see bold text):
3.3. Access Token Scope
The authorization and token endpoints allow the client to specify the scope of the access request using the "scope" request parameter. In turn, the authorization server uses the "scope" response parameter to inform the client of the scope of the access token issued.
The value of the scope parameter is expressed as a list of space- delimited, case-sensitive strings. The strings are defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope.
The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions. If the issued access token scope is different from the one requested by the client, the authorization server MUST include the "scope" response parameter to inform the client of the actual scope granted.
If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope. The authorization server SHOULD document its scope requirements and default value (if defined).