Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12498

Authorization Grant response returns scope(s) in the URL

    Details

    • Sprint:
      AM Sustaining Sprint 54, AM Sustaining Sprint 55, AM Sustaining Sprint 56, AM Sustaining Sprint 57, AM Sustaining Sprint 58
    • Story Points:
      5
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      No
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Authorization Grant response returns scope in the URL. RFC 6749 suggests only the code and state (if defined in the request) should be returned. 

      How to reproduce the issue

      1. Create OAuth2 Provider service
      2. Register an OAuth2 client profile
      3. Request authorization code using /authorize endpoint
      4. If authentication is successful, and the user allows access, an authorization code is returned, along with the scope(s).
      Expected behaviour
      Authorization Code is returned 
      
      Current behaviour
      Authorization Code and scope(s) are returned

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                aaron.haskins Aaron Haskins
              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: