Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14635

OAuth2 provider Supported Scopes description change

    Details

    • Support Ticket IDs:

      Description

      Bug description

      Help could lead to believe, that AM should work as description bellow, objective of this issue is to update documentation and help:
      An OAuth2 client defined with a scope, e.g. "write", can obtain an access token containing the scope "write" even if the scope is not supported by the OAuth2 provider.

      How to reproduce the issue

      I tested on 6.5 in a subrealm

      1. Create a OAuth2 provider service in a subrealm with scope "read".
      2. Create an OAuth2 client with scope "write"
      3. Request an authz code for the client with the scope "write"
      4. Exchange the authz code for an access token
      5. The access token contains the scope "write"
      Expected behaviour
      The access token does not contain the scope "write" as it is not a supported scope for the oauth2 provider.
      
      Current behaviour
      The access token contains the scope "write"
      

      Further information

      • When using self-registration, clients are not allowed to register with unsupported scopes. So it looks like it would only affect clients configured by an admin user. 
      • Tried the Resource owner password credentials, same behaviour

        Attachments

          Activity

            People

            • Assignee:
              dipu.seminlal Dipu Seminlal
              Reporter:
              nathalie.hoet Nathalie Hoet
            • Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: