Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-18269

A client request to the /device/code OAuth 2.0 endpoint with an invalid value to the scope parameter successfully returns the device code, user code and URL.



    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    •, 6.5.1,, 6.5.2,,,, 7.0.0, 7.1.0, 7.0.1, 7.0.2
    • None
    • oauth2
    • AM Sustaining Sprint 88, AM Sustaining Sprint 89
    • 5


      Bug description

      A client request to the ForgeRock AM OAuth 2.0 /device/code endpoint with an invalid scope successfully returns a device code, a user code and a verification URL.

      How to reproduce the issue

      1. Install and configure a ForgeRock AM instance (6.x / 7.x)
      2. Configure OAuth 2.0 / OIDC service in the AM realm
      3. Create an OAuth Client in the realm that supports Device Code Grant
      4. Simulate a client request to the device/code endpoint of the AM instance with an invalid scope (scope that is not defined in the OAuth 2.0 client profile created in step 3)

      If we supply an invalid scope at the device/code end point, it returns the user code , url and device code. Output is appended below for reference. Only when we access the the device/user end point to validate the user code and authenticate, the invalid scope error is thrown (screenshot attached). 

      Expected behaviour
      1. As per the draft scope is not a required parameter for the device/code end point, so it should work without the parameter (


      2. If an invalid scope is provided in the request, it should throw an error while requesting a device code / user coder. 
      Current behaviour 
       It successfully returns a device code, user code and verification URL. Only when the user accesses the User Code and authenticate with the Authorization Server, does the invalid scope error show up (screenshot attached). It should fail early:
      $curl --request POST --data 'client_id=deviceclient&scope=scopedoesnotexist&response_type=token' http://am1.mydomain.com:8080/openam/oauth2/device/code| jq .
        % Total    % Received % Xferd  Average Speed   Time    Time Time  Current
                                       Dload  Upload   Total   Spent Left  Speed
      100   666  100   600  100    66   9508   1045 --:--:-- --:--:-- --:--:--  9523
        "user_code": "TLxi4AFC",
        "device_code": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJodHRwOi8vYW0xLm15ZG9tYWluLmNvbTo4MDgwL29wZW5hbS9vYXV0aDIiLCJuYmYiOjE2MjkxODI5NTEsInVzZXJfY29kZSI6IlRMeGk0QUZDIiwiaXNzIjoiaHR0cDovL2FtMS5teWRvbWFpbi5jb206ODA4MC9vcGVuYW0vb2F1dGgyIiwiZXhwIjoxNjI5MTgzMjUxLCJpYXQiOjE2MjkxODI5NTEsImp0aSI6ImE4MWJiZjdmLWZlYzctNDU3OC04M2ZkLWYzOWI2ZDE3OGZlNSJ9.KiRwyX_7fPFiYegEIcjJxYKt89V6P-jZNwREmtUQa0o",
        "interval": 5,
        "verification_uri": "http://am1.mydomain.com:8080/openam/oauth2/device/user",
        "expires_in": 300,
        "verification_url": "http://am1.mydomain.com:8080/openam/oauth2/device/user"




            flynn.bastin Flynn Bastin
            rajesh.rajasekharan Rajesh Rajasekharan
            1 Vote for this issue
            5 Start watching this issue