[OPENAM-12498] Authorization Grant response returns scope(s) in the URL - ForgeRock JIRA

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 13.0.0, 13.5.1, 14.1.1, 14.5.1
Fix Version/s: 13.5.3, 6.5.0.1, 6.5.1, 14.1.2, 6.0.1, 7.0.0, 5.5.2
Component/s: oauth2
Labels:
- EDISON

Target Version/s:

13.5.3, 6.5.0

Sprint:
AM Sustaining Sprint 54, AM Sustaining Sprint 55, AM Sustaining Sprint 56, AM Sustaining Sprint 57, AM Sustaining Sprint 58
Story Points:
5
Needs backport:

No

Support Ticket IDs:

Verified Version/s:

6.5.0.1
Needs QA verification:

No
Functional tests:

Yes
Are the reproduction steps defined?:

Yes and I used the same an in the description

Description

Bug description

Authorization Grant response returns scope in the URL. RFC 6749 suggests only the code and state (if defined in the request) should be returned.

How to reproduce the issue

Create OAuth2 Provider service
Register an OAuth2 client profile
Request authorization code using /authorize endpoint
If authentication is successful, and the user allows access, an authorization code is returned, along with the scope(s).

Expected behaviour

Authorization Code is returned

Current behaviour

Authorization Code and scope(s) are returned

Attachments

Issue Links

caused

OPENAM-13929 Authorise endpoint against agent profile is currently failing and impacting performance tests

Resolved

is duplicated by

OPENAM-14087 TestScopes test failures

Closed

Activity

People

Assignee:

Lawrence Yarham

Reporter:

Aaron Haskins

Votes:

0 Vote for this issue

Watchers:

8 Start watching this issue

Dates

Created:

23/Feb/18 4:50 PM

Updated:

28/Jun/19 1:55 PM

Resolved:

06/Dec/18 11:49 PM