[OPENAM-7547] OpenIdConnectAuthorizeRequestValidator doesn't take default scopes into account when checking. Created: 24/Nov/15  Updated: 20/Nov/16  Resolved: 03/Dec/15

Status: Resolved
Project: OpenAM
Component/s: oauth2
Affects Version/s: 12.0.1, 12.0.2
Fix Version/s: 12.0.3, 13.0.0

Type: Bug Priority: Major
Reporter: Sachiko Wallace Assignee: Sachiko Wallace
Resolution: Fixed Votes: 0
Labels: EDISON, release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Rank: 1|hzlb73:
Sprint: AM Sustaining Sprint 14, AM Sustaining Sprint 15
Support Ticket IDs:

 Description   

1] Configuration for OpenID/OAuth2 client #1:
Allowed scopes= openid cn sn
Default scopes= openid cn sn

2] Specify no scopes in authorize request

http://<OpenAM_URL>/oauth2/authorize?response_type=code&redirect_uri=<RedirectURI>&client_id=<Client>

3] You will see errr as below:

<RedirectURL>?error=invalid_request&error_description=Missing expected scope%3Dopenid from request

If allowed scope contains 'openid' scope, does not allow request to go through if scope query string is not mentioned.
This is along the requirement, but according to RFC 6749 Section 3.3, default scopeshould be used when client omits the scope parameter in request
https://tools.ietf.org/html/rfc6749#section-3.3

   If the client omits the scope parameter when requesting
   authorization, the authorization server MUST either process the
   request using a pre-defined default value or fail the request
   indicating an invalid scope.  The authorization server SHOULD
   document its scope requirements and default value (if defined).

Generated at Tue Mar 09 11:03:22 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.