spring-authorization-server icon indicating copy to clipboard operation
spring-authorization-server copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Make the default scope empty for client_credentials grant

Open yonyes opened this issue 2 years ago • 2 comments

If the Request doesn't specify scopes, return the token without them.

Before: If the scope parameter is empty or missing, the token is generated with all possible scopes.

After: The received token will be without any token if there are no scopes in the token request.

Issue gh-780

yonyes avatar May 12 '22 10:05 yonyes

Thanks for the PR @yonyes. This is a breaking change so we'll apply it in the 0.4.0 release. I'll revisit this PR when we start working on 0.4.0.

jgrandja avatar Jun 13 '22 14:06 jgrandja

i have commented on GH-780 about this. for me this behaviour is required. so could we make this configurable on client level so we can determine the behaviour where needed.

something like settings.client.enable-default-scoping=true|false

as https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05, section 3.2.2.1, allows both behaviours to be valid.

lucwillems avatar Jun 30 '22 12:06 lucwillems

@yonyes Thanks again for the PR. This is now merged. FYI, I added a minor polish commit.

jgrandja avatar Aug 16 '22 10:08 jgrandja