openid scopes breaks Oauth2ScopePluginAdapter

Created on 27 May 2025, about 1 month ago

Problem/Motivation

I use the simple_oauth_static_scope module and issue an access token with openid scopes. The permission checks always return false.

When using the access token, the scopes are loaded in Oauth2ScopeReferenceItemList:

    /** @var \Drupal\simple_oauth\Oauth2ScopeAdapterInterface $scope_provider */
    $scope_provider = \Drupal::service('simple_oauth.oauth2_scope.provider');

    $loaded_scopes = $scope_provider->loadMultiple($ids);

This always returns a empty list, because the Oauth2ScopePluginAdapter tries to load ALL scopes, but fails with the openid scope. My scopes in the access tokens are similar to this:

array (
  0 => 'openid',
  1 => 'profile',
  2 => 'books:read',
  3 => 'books:write'
)

The scopeManager->getInstances(..) throws a PluginNotFoundException:

"The "openid" plugin does not exist. Valid plugin IDs for Drupal\simple_oauth_static_scope\Plugin\Oauth2ScopeManager are: ...

And therefore return [];

Steps to reproduce

* Create static scopes
* Issue an access token including openid and profile scopes.
* Use access token and try to load anything
* The permission check fails

Proposed resolution

The Oauth2ScopeManager should return the matching scopes and ignore the rest.

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report

Status

Active

Version

6.0

Component

Code

Created by

coffeemakr

Live updates comments and jobs are added and updated live.

Merge Requests

!186openid scopes breaks Oauth2ScopePluginAdapter
Merged
🇳🇱Netherlands bojan_dev
updated 14 days ago

Comments & Activities

Issue created by @coffeemakr
First commit to issue fork.
Merge request !186Issue #3526770: openid scope breaks Oauth2ScopePluginAdapter → (Merged) created by bojan_dev
Comment 14 days ago →
System Message

bojan_dev → committed e1fd279b on 6.0.x
Issue #3526770: openid scope breaks Oauth2ScopePluginAdapter
Comment 14 days ago →
🇳🇱Netherlands bojan_dev
Thank you coffeemakr for reporting and and making a fork available. I have compared the logic with dynamic scopes and I can confirm that this is inconsistent behaviour with static scopes. I have updated fork to still leverage the getInstances method, due the fact it has logic when not providing ids. Could you please make a MR available next time, it was not clear for me if there was a fix available.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024