Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14635

OAuth2 provider Supported Scopes description change


    • Support Ticket IDs:


      Bug description

      Help could lead to believe, that AM should work as description bellow, objective of this issue is to update documentation and help:
      An OAuth2 client defined with a scope, e.g. "write", can obtain an access token containing the scope "write" even if the scope is not supported by the OAuth2 provider.

      How to reproduce the issue

      I tested on 6.5 in a subrealm

      1. Create a OAuth2 provider service in a subrealm with scope "read".
      2. Create an OAuth2 client with scope "write"
      3. Request an authz code for the client with the scope "write"
      4. Exchange the authz code for an access token
      5. The access token contains the scope "write"
      Expected behaviour
      The access token does not contain the scope "write" as it is not a supported scope for the oauth2 provider.
      Current behaviour
      The access token contains the scope "write"

      Further information

      • When using self-registration, clients are not allowed to register with unsupported scopes. So it looks like it would only affect clients configured by an admin user. 
      • Tried the Resource owner password credentials, same behaviour




            • Assignee:
              dipu.seminlal Dipu Seminlal
              nathalie.hoet Nathalie Hoet
            • Votes:
              0 Vote for this issue
              13 Start watching this issue


              • Created: