oauth2-php icon indicating copy to clipboard operation
oauth2-php copied to clipboard

Published 20 hours ago verified publisher icon FriendsOfSymfony

Honor request's scope value

Open chuanma opened this issue 11 years ago • 4 comments

In the OAuth2 spec on granting an access token, "the authorization server MAY fully or partially ignore the scope requested by the client based on the authorization server policy or the resource owner's instructions".

So OAuth2 spec doesn't have an opinion on how scope is being handled. But oauth2-php currently has an opinion: fully ignores the request's scope value.

As a result, there is at least one use case that's impossible:

  1. a client with a 'client_credentials' grant type has both 'read' and 'write' scope.
  2. the client wants to get an access token that can ONLY 'read' data.

With this PR, the client can ask for an access token of 'read' scope by passing in 'scope=read' in the request.

chuanma avatar Apr 28 '13 23:04 chuanma

What's keeping this PR from being merged?

It is currently impossible for a client to request a token with a scope that is narrower than the supported scope.

bartvw avatar Oct 02 '13 09:10 bartvw

OK I have understood your PR. I have been working on the policy functionality and it seems to fix your problem.

Spomky avatar Oct 21 '13 19:10 Spomky

I have created a related PR (#64) which does the same thing with according tests ;)

pyrech avatar Jul 14 '14 11:07 pyrech

This PR might be closed as #64 has been merged. @chuanma Can you confirm that the requested scope is correctly honored?

Spomky avatar Nov 03 '14 10:11 Spomky