search

dmfs / oauth2-essentials

An OAuth2 client implementation based on http-client-essentials.
Apache License 2.0
86 stars 21 forks source link

OAuth2AccessToken#scope() returns requested, not the issued scope #36

Closed chludwig-haufe closed 6 years ago

chludwig-haufe commented 6 years ago

Hi,

an "authorization server MAY fully or partially ignore the scope requested by the client" [RFC6749, Sect. 3.3]. In the authorization server's access token response, the scope field is "OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED" [RFC6749, Sect. 5.1].

I have a client that obtains an access token using the client credentials flow, using oauth-essentials 0.8. The scope issued by the authorization server is in fact different from the requested scope.

With the debugger, I can see the issued scope in the field JsonAccessToken#mTokenresponse. However, if I try to inspect the scope programatically by calling OAuth2AccessToken#scope(), I get the value of the field JsonAccessToken#mScope which is passed in (via TokenResponseHandler from ClientCredentialsTokenRequest.

Is this a bug or did I miss something?

Cheers, Christoph

dmfs commented 6 years ago

Looks like a bug indeed. I'll take care of this.

dmfs commented 6 years ago

37 will fix this. It should be released as 0.8.1 by tomorrow afternoon.

chludwig-haufe commented 6 years ago

Great, thanks!

dmfs commented 6 years ago

Fixed in 0.8.1