oauth2-server-php icon indicating copy to clipboard operation
oauth2-server-php copied to clipboard
verified publisher icon bshaffer

Scope existance isn't checked in AuthorizeController::validateAuthorizeRequest

Open Bhoft opened this issue 4 years ago • 0 comments

The client scope in the AuthorizeController::validateAuthorizeRequest isn't checked if it exists in the given storage.

https://github.com/bshaffer/oauth2-server-php/blob/5a0c8000d4763b276919e2106f54eddda6bc50fa/src/OAuth2/Controller/AuthorizeController.php#L307-L315

https://github.com/bshaffer/oauth2-server-php/blob/5a0c8000d4763b276919e2106f54eddda6bc50fa/src/OAuth2/Scope.php#L48-L54

The requested scope is only checked if it exists if the clientScope is empty. But if both client and requested scopes are set and equal, it isn't checked if the scopes are existing in the storage at all.

Is this in intentionally as the scope which is set in the clients entries should exists in the scope storage?

I just wonder because when some scope is removed from the storage the clients with that scope are still working. I would assume that this would return also an invalid_scope error.

Bhoft avatar May 21 '21 08:05 Bhoft