Implicit grants should include scope in the redirection hash

jaredhanson / oauth2orize

OAuth 2.0 authorization server toolkit for Node.js.

https://www.oauth2orize.org?utm_source=github&utm_medium=referral&utm_campaign=oauth2orize

MIT License

3.46k stars 471 forks source link

Implicit grants should include scope in the redirection hash #10

Open jmandel opened 11 years ago

jmandel commented 11 years ago

http://tools.ietf.org/html/draft-ietf-oauth-v2-31#section-4.2.2

If scope is different from the app's requested scope, it's a required parameter (otherwise optional). Since the decision middleware doesn't explicitly handle scope, it has no way to tell if the issued token matches the requested scope.

The safest simple thing to do here is to always include scope in the redirection hash...

jmandel commented 11 years ago

Scope belongs in the response for Token grants here: https://github.com/jaredhanson/oauth2orize/blob/2531d7ea51ad14822b7aeae3d396feff5fd0a519/lib/grant/code.js#L138

And also belongs in the response for Authorization Code grants: https://github.com/jaredhanson/oauth2orize/blob/2531d7ea51ad14822b7aeae3d396feff5fd0a519/lib/grant/code.js#L138

Rmannn commented 8 years ago