-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 5.5.1, 6.0.0, 6.5.0
-
Component/s: oauth2
-
Sprint:AM Sustaining Sprint 54
-
Story Points:3
-
Needs backport:Yes
-
Support Ticket IDs:
-
Verified Version/s:
-
Needs QA verification:Yes
-
Functional tests:No
-
Are the reproduction steps defined?:Yes and I used the same an in the description
Bug description
When OAuth2 authorization requests are made without explicitly asking for scopes and the consent is saved by the end-user, the saved consent won't actually contain the default scopes (that will be issued for the access token).
How to reproduce the issue
- Configure AM as an OAuth2 provider
- Use "description" attribute as Saved Consent Attribute Name
- Add "description" to the list of LDAP User Attributes in the data store settings
- Create a new OAuth2 client with uid as default scopes
- Initiate an OAuth2 authorization flow without explicitly asking for any scopes:
- https://openam.dev/openam/oauth2/authorize?client_id=myclient&redirect_uri=http://localhost&response_type=code
- Check Save Consent box
- Submit the consent page
- Start a new authorization code flow with the same request
Expected behaviour
The second auth code request will not display the consent page.
Current behaviour
The consent saved at the first request does not contain the non-requested but given default scope, hence the save consent screen is displayed again.