[OPENAM-7547] OpenIdConnectAuthorizeRequestValidator doesn't take default scopes into account when checking. - ForgeRock JIRA

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 12.0.1, 12.0.2
Fix Version/s: 12.0.3, 13.0.0
Component/s: oauth2
Labels:
- EDISON
- release-notes

Sprint:
AM Sustaining Sprint 14, AM Sustaining Sprint 15

Support Ticket IDs:

Description

1] Configuration for OpenID/OAuth2 client #1:
Allowed scopes= openid cn sn
Default scopes= openid cn sn

2] Specify no scopes in authorize request

http://<OpenAM_URL>/oauth2/authorize?response_type=code&redirect_uri=<RedirectURI>&client_id=<Client>

3] You will see errr as below:

<RedirectURL>?error=invalid_request&error_description=Missing expected scope%3Dopenid from request

If allowed scope contains 'openid' scope, does not allow request to go through if scope query string is not mentioned.
This is along the requirement, but according to RFC 6749 Section 3.3, default scopeshould be used when client omits the scope parameter in request
https://tools.ietf.org/html/rfc6749#section-3.3

   If the client omits the scope parameter when requesting
   authorization, the authorization server MUST either process the
   request using a pre-defined default value or fail the request
   indicating an invalid scope.  The authorization server SHOULD
   document its scope requirements and default value (if defined).

Attachments

Activity

People

Assignee:

Sachiko Wallace

Reporter:

Sachiko Wallace

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

24/Nov/15 9:13 PM

Updated:

20/Nov/16 12:19 PM

Resolved:

03/Dec/15 12:41 AM