The newly re-added JWT bearer grant type handler can return different scopes to what the client requested if the JWT contains a "scope" attribute indicating what the user has consented to. In this case https://tools.ietf.org/html/rfc6749#section-5.1 says that the "scope" attribute must be returned in the token endpoint response indicating the actual granted scope. If the set of scopes allowed ends up being empty then the "scope" attribute is not returned in the response but the client still gets a (useless) access token.
- Configure an OAuth 2 client with the JWT Bearer grant type with allowed scopes = "test"
- Create a Trusted JWT Issuer
- Issuer a JWT from the issuer with a scope=openid claim in the JWT
- Perform a JWT bearer grant flow to obtain an access token with scope=test
Response should either be a failure because no scopes granted or else should have the "scope":"" attribute in the response to inform the client that different scopes were granted to what they requested.
Successful response with no "scope" attribute. Introspecting the token shows empty scopes.
This code inside JwtBearerGrantTypeHandler (and AuthorizationCodeGrantTypeHandler, ClientCredentialsGrantTypeHandler, ...) is the cause: