Add a new guard clause to the oauth2 client credentials flow. #1050
Conversation
decko
force-pushed
the
oauth2_fixes
branch
3 times, most recently
from
73a5c0a to
64d63ae
Compare
| if scope := " ".join(self.scopes): | ||
| data["scope"] = scope |
There was a problem hiding this comment.
This would be an actual change, but what is the issue we are solving here?
There was a problem hiding this comment.
Some Idps doesn't require a scope parameter to issue a token. And since it's not required, maybe sending it as an empty value could cause an issue with the IdP itself.
There was a problem hiding this comment.
"Maybe" is a bit vague. Can you find a place in rcf6749 being specific about this?
There was a problem hiding this comment.
https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.2
scope
OPTIONAL. The scope of the access request as described by
[Section 3.3](https://datatracker.ietf.org/doc/html/rfc6749#section-3.
There was a problem hiding this comment.
This tells me it's optional. But is it allowed to send an empty string? If yes, does it convey a different semantic?
There was a problem hiding this comment.
As we stated, if the scope is to be used, it must not be empty. https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
decko
changed the title
Head branch was pushed to by a user without write access
According to the section 3.3 of RFC 6749 OAuth2 Access Token Scope,
this is the notation that defines how the scope should be send to the
IdentityProvider:
`scope = scope-token *( SP scope-token )`
Basically it should be omitted if it's empty.
Closes #1049