an "authorization server MAY fully or partially ignore the scope requested by the client" [RFC6749, Sect. 3.3]. In the authorization server's access token response, the scope field is "OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED" [RFC6749, Sect. 5.1].
I have a client that obtains an access token using the client credentials flow, using oauth-essentials 0.8. The scope issued by the authorization server is in fact different from the requested scope.
With the debugger, I can see the issued scope in the field JsonAccessToken#mTokenresponse. However, if I try to inspect the scope programatically by calling OAuth2AccessToken#scope(), I get the value of the field JsonAccessToken#mScope which is passed in (via TokenResponseHandler from ClientCredentialsTokenRequest.
Hi,
an "authorization server MAY fully or partially ignore the scope requested by the client" [RFC6749, Sect. 3.3]. In the authorization server's access token response, the scope field is "OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED" [RFC6749, Sect. 5.1].
I have a client that obtains an access token using the client credentials flow, using oauth-essentials 0.8. The scope issued by the authorization server is in fact different from the requested scope.
With the debugger, I can see the issued scope in the field
JsonAccessToken#mTokenresponse
. However, if I try to inspect the scope programatically by callingOAuth2AccessToken#scope()
, I get the value of the fieldJsonAccessToken#mScope
which is passed in (viaTokenResponseHandler
fromClientCredentialsTokenRequest
.Is this a bug or did I miss something?
Cheers, Christoph