iam 500 response from server when no scopes are specified in the device code flow

500 response from server when no scopes are specified in the device code flow

Open federicaagostini opened this issue 1 year ago • 1 comments

When a request for a device code to the /devicecode endpoint does not specify the list of scopes, then the subsequent request to the /token endpoint returns 500 server error

{
  "error": "server_error",
  "error_description": "Internal Server Error"
}

The OAuth specification says

   If the client omits the scope parameter when requesting
   authorization, the authorization server MUST either process the
   request using a pre-defined default value or fail the request
   indicating an invalid scope.  The authorization server SHOULD
   document its scope requirements and default value (if defined).

Since in other flows IAM returns all the scopes allowed for the client when the scope parameter is not specified, I suggest to use the same approach for the device code flow.

Jan 23 '24 17:01 federicaagostini

iam iam copied to clipboard

500 response from server when no scopes are specified in the device code flow

iam
iam copied to clipboard