Open jmandel opened 11 years ago
Scope belongs in the response for Token grants here: https://github.com/jaredhanson/oauth2orize/blob/2531d7ea51ad14822b7aeae3d396feff5fd0a519/lib/grant/code.js#L138
And also belongs in the response for Authorization Code grants: https://github.com/jaredhanson/oauth2orize/blob/2531d7ea51ad14822b7aeae3d396feff5fd0a519/lib/grant/code.js#L138
+1
http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-4.2.2
If scope is different from the app's requested scope, it's a required parameter (otherwise optional). Since the decision middleware doesn't explicitly handle scope, it has no way to tell if the issued token matches the requested scope.
The safest simple thing to do here is to always include scope in the redirection hash...