[OPENAM-12997] Consent for default scopes are not saved Created: 25/Apr/18  Updated: 13/Mar/20  Resolved: 07/Sep/18

Status: Closed
Project: OpenAM
Component/s: oauth2
Affects Version/s: 5.5.1, 6.0.0, 6.5.0
Fix Version/s: 6.5.0, 6.0.1, 5.5.2

Type: Bug Priority: Major
Reporter: Peter Major [X] (Inactive) Assignee: Lawrence Yarham
Resolution: Fixed Votes: 0
Labels: Backlog, EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Rank: 1|hzvurr:
Sprint: AM Sustaining Sprint 54
Story Points: 3
Needs backport:
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
Yes and I used the same an in the description


Bug description

When OAuth2 authorization requests are made without explicitly asking for scopes and the consent is saved by the end-user, the saved consent won't actually contain the default scopes (that will be issued for the access token).

How to reproduce the issue

Expected behaviour

The second auth code request will not display the consent page.

Current behaviour

The consent saved at the first request does not contain the non-requested but given default scope, hence the save consent screen is displayed again.

Comment by Andrew Vinall [ 25/Apr/18 ]

Bug Triage: Peter Major [X] Is this a regression?

Comment by Peter Major [X] (Inactive) [ 25/Apr/18 ]

See also TestAuthorizationCodeGrant#testSavedConsent

Comment by Peter Major [X] (Inactive) [ 25/Apr/18 ]

Andrew Vinall this test seemed to fail for 5.5.0 as well: https://ci.forgerock.org/view/OpenAM/job/AM-5.5.x/job/OpenAM-Functional-Tests-Stable/106/Temper_Report/class-com.forgerock.openam.functionaltest.oauth2.TestAuthorizationCodeGrant.html#f68469757472ab760e8ab47d3617478f95a371b9845748efaa020f2badda6384

Comment by Lawrence Yarham [ 04/Sep/18 ]

Just following up on a question regarding when to include default scopes in the saved consent...

Based on https://tools.ietf.org/html/rfc6749#section-3.3
If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).
This looks to indicate that the default scope should only be included in the saved consent if no scope was explicitly requested.  The way the fix has been implemented here is that the default scope is included in the saved consent (after asking the end user for consent) even if specific scopes were requested.  

I'll re-open and resolve this.

Comment by Ľubomír Mlích [ 13/Mar/20 ]

Reproduced in ForgeRock Access Management 5.5.1 Build 96b47ad4f1 (2017-October-26 15:41)
Verified as fixed in ForgeRock Access Management 5.5.2-M12 Build b4eff06cc5 (2020-February-26 12:16)

Generated at Tue Mar 02 14:41:21 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.