spring-projects
In the Authorization Code Grant, scope should be optional
According to OAuth2.1 RFC 4.1.1, scope is optional in Authorization Code Grant,but now if you don't add scope parameter in request, exception will be thrown when user authorize.
See lines 162 - 173 of OAuth2AuthorizationConsentAuthenticationProvider
Set<GrantedAuthority> authorities = new HashSet<>();
authorizationConsentBuilder.authorities(authorities::addAll);
if (authorities.isEmpty()) {
// Authorization consent denied (or revoked)
if (currentAuthorizationConsent != null) {
this.authorizationConsentService.remove(currentAuthorizationConsent);
}
this.authorizationService.remove(authorization);
throwError(OAuth2ErrorCodes.ACCESS_DENIED, OAuth2ParameterNames.CLIENT_ID,
authorizationConsentAuthentication, registeredClient, authorizationRequest);
}
Refer to the description in 3.2.2.1. Access Token Scope:
If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope.
Whether to deny or provide a default scope value should be left to the user's control, i can contribute a PR if changes are required.
@Hccake OAuth2AuthorizationConsentAuthenticationProvider handles the "User Consent" flow and OAuth2AuthorizationCodeRequestAuthenticationProvider handles the "Authorization Request" flow. The state parameter you are referring to is in the "User Consent" flow, which is required by the internal implementation. The "User Consent" flow is left to the implementor as it is NOT detailed in the spec. Only the Authorization Request flow is detailed in the spec.
Please see OAuth2AuthorizationCodeRequestAuthenticationValidator, which is the default for OAuth2AuthorizationCodeRequestAuthenticationProvider.authenticationValidator and scope is optional.
