search

thephpleague / oauth2-server

A spec compliant, secure by default PHP OAuth 2.0 Server
https://oauth2.thephpleague.com
MIT License
6.51k stars 1.12k forks source link

Access Token Scope not meeting oAuth 2 specification requirements? #1260

Closed cvigorsICBF closed 2 years ago

cvigorsICBF commented 2 years ago

Hi, In the client credentials docs it has the scope included in the request, but only the token_type, expires_in and access_token is included in the response. The scope is not included in the response.

What happens if a client requests a scope that they are not allowed access too?

According to the oauth2 specification , it states that: "If the issued access token scope is different from the one requested by the client, the authorization server MUST include the "scope" response parameter to inform the client of the actual scope granted."

For example

A client has been granted access to scope “scope1”, but requests “scope1 scope2”

{ "grant_type": "client_credentials", "client_id" : "test", "client_secret" : "test_secret", "scope" : "scope1 scope2" } The server responds with the expected fields: { "token_type": "Bearer", "expires_in": 86400, "access_token": "eyJ0eXAiOiJ........" }

There is nothing in the response to indicate to the client what scopes the access_token can be used for.

Should the response actually be: { "token_type": "Bearer", "expires_in": 86400, "access_token": "eyJ0eXAiOiJ........", "scope": "scope1" }

Sephster commented 2 years ago

Thanks for reporting. This does appear to not conform to the specs. Will flag this as a bug. Thanks for reporting

Sephster commented 2 years ago

Realised this is a duplicate of #793 so closing in favour of that. Thank you for reporting though @cvigorsICBF