oauth2-bundle
oauth2-bundle copied to clipboard
Published
20 hours ago •
trikoder
trikoder
Not setting client scopes allows all requested scopes (if set as app scope)
I would like to know if it is intended that not setting scopes on the client (null) lets us allow to all requested scopes (if defined in the app scopes in trikoder_oauth2.yaml). I was expecting it to be the other way around: if there are no scopes set on the client, then no scopes are allowed (despite the fact that they are allowed by the app scopes).
For example:
| App scopes | Client scopes | Requested scopes | Returned scopes |
|---|---|---|---|
| (null) | (null) | (null) | (null) |
| foo | (null) | bar | (invalid scope) |
| (null) | foo | bar | (invalid scope) |
| bar | foo | bar | (invalid scope) |
| foo | bar | bar | (invalid scope) |
| foo bar | foo | bar | (invalid scope) |
| foo bar | foo | (null) | foo |
| foo | (null) | (null) | (null) |
| foo | bar | (null) | bar |
| foo | (null) | foo | foo |
Especially the last two cases are the confusing ones.
Where it happens:
// Trikoder\Bundle\Oauth2Bundle\League\Repository\ScopeRepository
// ...
private function setupScopes(ClientModel $client, array $requestedScopes): array
{
//...
if (empty($clientScopes)) {
return $requestedScopes;
}
if (empty($requestedScopes)) {
return $clientScopes;
}
// ...
Is this intended behavior? If it is, I think the docs on this point can be more specific.
