Return `scope` as a token response param

[chervand]

trafficstars

According to https://tools.ietf.org/html/rfc6749#section-5.1

scope OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED...

and https://tools.ietf.org/html/rfc6749#section-3.3

The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions. If the issued access token scope is different from the one requested by the client, the authorization server MUST include the "scope" response parameter to inform the client of the actual scope granted. If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope. The authorization server SHOULD document its scope requirements and default value (if defined).

Is it possible to return scope value as a request param by default to notify clients about actually granted scopes (in case default or omitted ones) without need of parsing JWT?

[DewaldBodenstein]

@chervand have you found a way to accomplish this?

[chervand]

@DewaldBodenstein, I believe, adding it to a League\OAuth2\Server\ResponseTypes\BearerTokenResponse $responseParams should be enough.

[DewaldBodenstein]

Thanks, got it working.

[simonhamp]

@chervand That's nice. I think in most implementations, if the client requests scopes that aren't supported, the server should respond with an invalid_scope error. However, this is really useful for situations where a scope is valid, but for some other reason has been denied (e.g. authorisation).

And as you rightly mention, it follows spec. In fact, I'd go so far as to say that it's worth having in the response regardless.

Do you fancy making a pull request for this?

[chervand]

@simonhamp yes, sure

[christiaangoossens]

+1, this would be very useful.