Open Jo-stfc opened 1 month ago
Hello, which is exactly the use case of this requirement?
As stated in the OAuth2 specification
The authorization server MAY fully or partially ignore the scope
requested by the client, based on the authorization server policy or
the resource owner's instructions. If the issued access token scope
is different from the one requested by the client, the authorization
server MUST include the "scope" response parameter to inform the
client of the actual scope granted.
looks like IAM is compliant with this behavior -- no errror returned if the scopes released are just a subset of the ones requested, and the list of released scopes is returned by the server.
if during the oidc-gen the scope offline_access is not specified, the command to generate a token correctly reports is as an error
.modify:/dteam:/test/" --scope="storage.create:/dteam:/test/" --time=3600 test3
Error: invalid_scope: Scope 'storage.create:/dteam:/test/' not allowed for client 'c3831b97-d727-4e05-9f0c-3df1309bf4a8'
We cannot get these scopes with the current configuration. To get these scopes you might need to adapt the account configuration with
$ oidc-gen -m test3
but it also might be necessary to change the client configuration with the OpenID provider.
However, if you specify the offline_access scope but the oidc provider does not grant you that access, the above command would still generate a token, but it would not include the requested scope and this can only be identified by decoding the token (endpoints the token was attempted to use against will only say permission denied).
Hi, would it possible to print an error or warning when a token is requesting capabilities not granted by the server? currently it fails silently by granting a token without the requested capabilities