search

indigo-iam / iam

INDIGO Identity and Access Management Service
https://indigo-iam.github.io/
Other
99 stars 43 forks source link

500 response from server when no scopes are specified in the device code flow #698

Open federicaagostini opened 5 months ago

federicaagostini commented 5 months ago

When a request for a device code to the /devicecode endpoint does not specify the list of scopes, then the subsequent request to the /token endpoint returns 500 server error

{
  "error": "server_error",
  "error_description": "Internal Server Error"
}

The OAuth specification says

   If the client omits the scope parameter when requesting
   authorization, the authorization server MUST either process the
   request using a pre-defined default value or fail the request
   indicating an invalid scope.  The authorization server SHOULD
   document its scope requirements and default value (if defined).

Since in other flows IAM returns all the scopes allowed for the client when the scope parameter is not specified, I suggest to use the same approach for the device code flow.

federicaagostini commented 4 months ago

This bag was found on https://iam.cloud.infn.it, but it did not happened locally nor on https://iam-dev.cloud.cnaf.infn.it