search

zitadel / zitadel

ZITADEL - Identity infrastructure, simplified for you.
https://zitadel.com
Apache License 2.0
8.63k stars 544 forks source link

Bug: Expecting /token endpoint in authorization code flow to return scope? #6609

Open hifabienne opened 1 year ago

hifabienne commented 1 year ago

Discussed in https://github.com/zitadel/zitadel/discussions/6594

Originally posted by **rustyb** September 19, 2023 👋 Hi Folks - Hoping you can help me with a little issue i'm having here. Reading the docs for the token endpoint https://zitadel.com/docs/apis/openidoauth/endpoints#token_endpoint Screenshot 2023-09-19 at 09 32 17 I was expecting there to be a `scope` value in the return json. But I receive: ```json { "access_token": "", "token_type": "Bearer", "expires_in": 43199, "id_token": "" } ``` To reproduce: 1. Created a project 2. Created a web app - downloaded the client_id and secret 3. Make a call to authorize ``` http://localhost:8080/oauth/v2/authorize? client_id=client_id@test &redirect_uri=http://localhost/auth/zitadel/callback &response_type=code &scope=openid+email+profile+urn:zitadel:iam:org:project:roles+urn:zitadel:iam:user:metadata &code_challenge=something-code-challenge &code_challenge_method=S256 ``` 4. With the returned code request a token: ```bash curl --request POST \ --url http://localhost:8080/oauth/v2/token \ --header 'Content-Type: multipart/form-data' \ --form code=SYA7mJ0FPC75QI0doSzOBVqk3nnyK4aDXwEPfxfRWhxfTg \ --form grant_type=authorization_code \ --form redirect_uri=http://localhost/auth/zitadel/callback \ --form code_verifier=something-code-challenge \ --form client_id=clilent_id@test \ --form client_secret= ``` 5. Token endpoint returns: ```json { "access_token": "", "token_type": "Bearer", "expires_in": 43199, "id_token": "" } ``` Is there some other parameter I need to request? I was expecting to get a scope value like you can expect from google oidc flow: ``` { "access_token": "__MOCK_ACCESS_TOKEN__", "expires_in": 3599, "scope": "openid https://www.googleapis.com/auth/userinfo.email", "token_type": "Bearer", "id_token": "__MOCK_ID_TOKEN__", } ``` Any ideas?
hifabienne commented 1 year ago

This requires an update in the oidc lib aswell

senthalan commented 9 months ago

Is there some other parameter I need to request?

I am interested in contributing to the OIDC library. Can I take this up and create a PR for the OIDC lib?

hifabienne commented 9 months ago

6594

Yes that would be great. I assign the issue to you

muhlemmer commented 6 months ago

Hi @senthalan, do you still intend to work on this issue?