error/warning when requesting scopes not granted by the IAM server

[Jo-stfc]

Hi, would it possible to print an error or warning when a token is requesting capabilities not granted by the server? currently it fails silently by granting a token without the requested capabilities

[federicaagostini]

Hello, which is exactly the use case of this requirement?

As stated in the OAuth2 specification

   The authorization server MAY fully or partially ignore the scope
   requested by the client, based on the authorization server policy or
   the resource owner's instructions.  If the issued access token scope
   is different from the one requested by the client, the authorization
   server MUST include the "scope" response parameter to inform the
   client of the actual scope granted.

looks like IAM is compliant with this behavior -- no errror returned if the scopes released are just a subset of the ones requested, and the list of released scopes is returned by the server.

[Jo-stfc]

if during the oidc-gen the scope offline_access is not specified, the command to generate a token correctly reports is as an error

.modify:/dteam:/test/" --scope="storage.create:/dteam:/test/" --time=3600 test3 

Error: invalid_scope: Scope 'storage.create:/dteam:/test/' not allowed for client 'c3831b97-d727-4e05-9f0c-3df1309bf4a8'
We cannot get these scopes with the current configuration. To get these scopes you might need to adapt the account configuration with
        $ oidc-gen -m test3
but it also might be necessary to change the client configuration with the OpenID provider.

However, if you specify the offline_access scope but the oidc provider does not grant you that access, the above command would still generate a token, but it would not include the requested scope and this can only be identified by decoding the token (endpoints the token was attempted to use against will only say permission denied).