The `scope` parameter has been mistakenly required on device access token request

[hafezdivandari]

On device authorization flow, according to RFC8628, the "Device Access Token Request" should send these parameters:

• grant_type
• device_code
• client_id

As you can see there is no scope parameter, because the scope parameter had been sent on the first step "Device Authorization Request":

• client_id
• scope

The scopes are requested by the client on the first request and should be persisted on the DB. When user enters the user code we display the client info and list of scopes to be approved by user. So the client shouldn't specify scopes on the last request, but the current implementation requires scopes on DeviceCodeGrant::respondToAccessTokenRequest() mistakenly:

https://github.com/thephpleague/oauth2-server/blob/2ed9e5f65045bebf9e99c33ef1558dcd6d0206b7/src/Grant/DeviceCodeGrant.php#L140-L141

I think you should get the scopes from $deviceCodeEntity instead, which was persisted on the DB.

-$scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
$deviceCodeEntity = $this->validateDeviceCode($request, $client);
+$scopes = $deviceCodeEntity->getScopes(); // no need to call `validateScope` because already done on `respondToDeviceAuthorizationRequest` before persisting to DB

Am I missing something?

[hafezdivandari]

@Sephster would you please take a look? it seems to be a bug.

[Sephster]

Does indeed look to be a bug. Thanks for spotting this. I'm tied up the next few days but will get to this early next week. Cheers @hafezdivandari