Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include scope in response if given scopes don't match requested scopes #928

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Include scope in response if given scopes don't match requested scopes #928

wants to merge 3 commits into from

Conversation

robbytaylor
Copy link

According to RFC674:

The authorization server MAY fully or partially ignore the scope
requested by the client, based on the authorization server policy or
the resource owner's instructions. If the issued access token scope
is different from the one requested by the client, the authorization
server MUST include the "scope" response parameter to inform the
client of the actual scope granted.

https://tools.ietf.org/html/rfc6749#section-3.3

This PR adds a scope parameter to the Bearer token response when the token's given scopes are different to the scopes that were requested.

@robbytaylor
Copy link
Author

I added the request object as an argument to ResponseTypeInterface:: generateHttpResponse() because it seemed like a preferable (i.e. more generic) approach than adding a $requestedScopes parameter.

I allowed the request parameter to be null, partly because there's places where a redirect response is generated which don't have the request instance available. It didn't seem sensible to update unrelated methods to pass the request object only so it can be passed to the redirect response, which doesn't even need it. I also thought it might help backwards compatibility for libraries which depend on this one. But let me know if you can see a better way of approaching it.

@Sephster
Copy link
Member

Sephster commented Sep 21, 2018

Hi @robbytaylor. I'm not sure about the change to the generateHttpResponse interface as you have pointed out in our comment. I also note that this is currently failing our PHPStan checks. Could you resolve this first and then I will take another look? Many thanks and sorry for the delayed response with this one!

@robbytaylor
Copy link
Author

Hi @Sephster, thanks for getting back to me on this. Will do.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants