-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 6.0.0.4, 6.5.0, 6.5.1, 7.0.0
-
Component/s: documentation, oauth2
-
Labels:
-
Support Ticket IDs:
-
Verified Version/s:
-
CVSS v3 Base Score:4.2
-
Needs QA verification:Yes
-
Functional tests:No
Bug description
Help could lead to believe, that AM should work as description bellow, objective of this issue is to update documentation and help:
An OAuth2 client defined with a scope, e.g. "write", can obtain an access token containing the scope "write" even if the scope is not supported by the OAuth2 provider.
How to reproduce the issue
I tested on 6.5 in a subrealm
- Create a OAuth2 provider service in a subrealm with scope "read".
- Create an OAuth2 client with scope "write"
- Request an authz code for the client with the scope "write"
- Exchange the authz code for an access token
- The access token contains the scope "write"
Expected behaviour
The access token does not contain the scope "write" as it is not a supported scope for the oauth2 provider.
Current behaviour
The access token contains the scope "write"
Further information
- When using self-registration, clients are not allowed to register with unsupported scopes. So it looks like it would only affect clients configured by an admin user.
- Tried the Resource owner password credentials, same behaviour