Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7547

OpenIdConnectAuthorizeRequestValidator doesn't take default scopes into account when checking.

    Details

    • Sprint:
      AM Sustaining Sprint 14, AM Sustaining Sprint 15
    • Support Ticket IDs:

      Description

      1] Configuration for OpenID/OAuth2 client #1:
      Allowed scopes= openid cn sn
      Default scopes= openid cn sn

      2] Specify no scopes in authorize request

      http://<OpenAM_URL>/oauth2/authorize?response_type=code&redirect_uri=<RedirectURI>&client_id=<Client>
      

      3] You will see errr as below:

      <RedirectURL>?error=invalid_request&error_description=Missing expected scope%3Dopenid from request
      

      If allowed scope contains 'openid' scope, does not allow request to go through if scope query string is not mentioned.
      This is along the requirement, but according to RFC 6749 Section 3.3, default scopeshould be used when client omits the scope parameter in request
      https://tools.ietf.org/html/rfc6749#section-3.3

         If the client omits the scope parameter when requesting
         authorization, the authorization server MUST either process the
         request using a pre-defined default value or fail the request
         indicating an invalid scope.  The authorization server SHOULD
         document its scope requirements and default value (if defined).
      

        Attachments

          Activity

            People

            • Assignee:
              sachiko Sachiko Wallace
              Reporter:
              sachiko Sachiko Wallace
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: