Contrib.social

Allow default scopes to be set regardless of grant type

Open on Drupal.org β†’
Created on 1 November 2023, 8 months ago
Updated 29 November 2023, 7 months ago

Problem/Motivation

Currently in v6 the Consumer form only lets you specify default scopes for the consumer if the client_credentials grant type is enabled. But default scopes are granted for any authorization request, regardless of the grant type, when no specific scope is requested.

I believe this is the relevant part of the OAuth2 spec: https://datatracker.ietf.org/doc/html/rfc6749#section-3.3

If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).

Steps to reproduce

Try to add default scopes to a consumer without the client credentials grant

Proposed resolution

Allow setting default scopes on consumers regardless of selected grant types

Remaining tasks

Implement

User interface changes

Default scopes are always shown in Consumer form

API changes

None

Data model changes

None

πŸ› Bug report
Status

Needs work

Version

6.0

Component

User interface

Created by

πŸ‡ΊπŸ‡ΈUnited States paul121 Spokane, WA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @paul121
  • Comment 8 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States paul121 Spokane, WA
  • @paul121 opened merge request.
  • Comment 8 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States paul121 Spokane, WA

    Attaching screenshot of what this looks like. The scopes field is available below the 3rd party/confidential fields, but before Redirect URIs.

  • Status changed to Needs review 8 months ago
  • Comment 8 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States paul121 Spokane, WA
  • First commit to issue fork.
  • Status changed to Needs work 8 months ago
  • Comment 8 months ago β†’
    πŸ‡³πŸ‡±Netherlands bojan_dev

    I made a few changes to support the default scopes in all grant types. Remaining tasks:

    • Check if we still need the default scope logic in the ScopeRepository::finalizeScopes.
    • Add tests for all grant types.
  • Comment 7 months ago β†’
    πŸ‡³πŸ‡±Netherlands Kingdutch

    I just want to note that this is not a bug but rather a feature request (though I'll leave changing the category to others if you agree).

    As already shown in the issue summary:

    If the client omits the scope parameter when requesting
    authorization, the authorization server MUST either process the
    request using a pre-defined default value or fail the request
    indicating an invalid scope. The authorization server SHOULD
    document its scope requirements and default value (if defined).

    In the initial implementation we specifically chose to go for the "fail the request indicating an invalid scope" route.

    In any change we make to this we should ensure that the module can be configured to disallow the use of default scopes and force clients to request some.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024