oauth2-php icon indicating copy to clipboard operation
oauth2-php copied to clipboard
verified publisher icon FriendsOfSymfony

supported scopes are used as default scopes

Open MarioHoberg opened this issue 8 years ago • 3 comments

If I got it correctly, when a token request (e.g.) with a client_crendentials grant and without scope is received, a token for all configured scopes is granted.

See code around https://github.com/FriendsOfSymfony/oauth2-php/blob/master/lib/OAuth2.php#L846

RFC6749 3.3. seems to allow for arbitrary defaults, but IMHO a library limiting the default to all available scopes is bad practice.

I suggest to fallback to an empty scope and maybe support a configurable default.

MarioHoberg avatar Aug 25 '17 15:08 MarioHoberg

I'm also having this issue. Is it just a case of removing 'scope' => $this->getVariable(self::CONFIG_SUPPORTED_SCOPES, null) ?

rcwsr avatar Nov 09 '17 11:11 rcwsr

Also having this issue. Only want to grant scopes when they are explicitly passed.

bropp avatar Jun 14 '18 00:06 bropp

+1

Jwilsonps avatar Mar 23 '20 16:03 Jwilsonps