Start an authorization flow, make sure to use a scope which wasn't previously granted to the application. After selecting a character, when presented with a list of required and already granted scopes, click the Cancel button.
Actual Behaviour
The authorization flow will proceed as if the Authorize button was clicked, with the user being redirected back to the application's callback URL with a code/token containing the new scopes, despite the user clicking the Cancel button.
stebet
commented
5 years ago
Bug
Reproduction Steps
Start an authorization flow, make sure to use a scope which wasn't previously granted to the application. After selecting a character, when presented with a list of required and already granted scopes, click the Cancel button.
Actual Behaviour
The authorization flow will proceed as if the Authorize button was clicked, with the user being redirected back to the application's callback URL with a code/token containing the new scopes, despite the user clicking the Cancel button.
Expected Behaviour
The authorization flow should be stopped somehow.