ethyca · pattisdr · Jul 8, 2022 · Jul 7, 2022 · Jul 7, 2022 · Jul 7, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -39,6 +39,7 @@ The types of changes are:
 * Fix publish_docs CI action [#818](https://github.com/ethyca/fidesops/pull/818)
 * Bump fideslib to handle base64 encoded password [#820](https://github.com/ethyca/fidesops/pull/820)
 * Stop masking uvicorn logs by default [#831](https://github.com/ethyca/fidesops/pull/831)
+* Fix error when there are no scopes in `ClientDetail` [#830](https://github.com/ethyca/fidesops/pull/830)
 
 ## [1.6.1](https://github.com/ethyca/fidesops/compare/1.6.0...1.6.1)
 

diff --git a/requirements.txt b/requirements.txt
@@ -10,7 +10,7 @@ fastapi-caching[redis]
 fastapi-pagination[sqlalchemy]~= 0.8.3
 fastapi[all]==0.78.0
 fideslang==1.0.0
-fideslib==2.2.1
+fideslib==2.2.2
 fideslog==1.2.1
 multidimensional_urlencode==0.0.4
 pandas==1.3.3

diff --git a/src/fidesops/api/v1/endpoints/oauth_endpoints.py b/src/fidesops/api/v1/endpoints/oauth_endpoints.py
@@ -76,7 +76,10 @@ async def acquire_access_token(
     else:
         raise AuthenticationFailure(detail="Authentication Failure")
 
-    client_detail = ClientDetail.get(db, object_id=client_id, config=config)
+    # scopes param is only used if client is root client, otherwise we use the client's associated scopes
+    client_detail = ClientDetail.get(
+        db, object_id=client_id, config=config, scopes=SCOPE_REGISTRY
+    )
 
     if client_detail is None:
         raise AuthenticationFailure(detail="Authentication Failure")

diff --git a/src/fidesops/util/oauth_util.py b/src/fidesops/util/oauth_util.py
@@ -21,6 +21,7 @@
 from starlette.status import HTTP_404_NOT_FOUND
 
 from fidesops.api.deps import get_db
+from fidesops.api.v1.scope_registry import SCOPE_REGISTRY
 from fidesops.api.v1.urn_registry import TOKEN, V1_URL_PREFIX
 from fidesops.core.config import config
 from fidesops.models.policy import PolicyPreWebhook
@@ -138,8 +139,9 @@ async def verify_oauth_client(
     if not client_id:
         raise AuthorizationError(detail="Not Authorized for this action")
 
+    # scopes param is only used if client is root client, otherwise we use the client's associated scopes
     client = ClientDetail.get(
-        db, object_id=client_id, config=config, scopes=security_scopes.scopes
+        db, object_id=client_id, config=config, scopes=SCOPE_REGISTRY
     )
 
     if not client:

diff --git a/tests/api/v1/endpoints/test_oauth_endpoints.py b/tests/api/v1/endpoints/test_oauth_endpoints.py
@@ -390,6 +390,28 @@ def test_invalid_client_secret(self, db, url, api_client):
 
         new_client.delete(db)
 
+    def test_get_access_token_root_client(self, url, api_client):
+        data = {
+            "client_id": config.security.OAUTH_ROOT_CLIENT_ID,
+            "client_secret": config.security.OAUTH_ROOT_CLIENT_SECRET,
+        }
+
+        response = api_client.post(url, data=data)
+        jwt = json.loads(response.text).get("access_token")
+        assert 200 == response.status_code
+        assert (
+            data["client_id"]
+            == json.loads(extract_payload(jwt, config.security.APP_ENCRYPTION_KEY))[
+                JWE_PAYLOAD_CLIENT_ID
+            ]
+        )
+        assert (
+            json.loads(extract_payload(jwt, config.security.APP_ENCRYPTION_KEY))[
+                JWE_PAYLOAD_SCOPES
+            ]
+            == SCOPE_REGISTRY
+        )
+
     def test_get_access_token(self, db, url, api_client):
         new_client, secret = ClientDetail.create_client_and_secret(
             db,