Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: Simplified scope request returns empty scopes instead of expected Cartesian product with role-based scopes #6922

Open
3 of 4 tasks
u0x01 opened this issue Jan 5, 2025 · 0 comments
Open
3 of 4 tasks

bug: Simplified scope request returns empty scopes instead of expected Cartesian product with role-based scopes #6922

u0x01 opened this issue Jan 5, 2025 · 0 comments
Assignees
@wangsijie
Labels
bug Something isn't working

Comments

@u0x01
Copy link
Contributor

u0x01 commented Jan 5, 2025

Describe the bug

When using simplified scope configuration in Logto, the scope handling behavior appears inconsistent with RFC 8707/RFC6749 Section 3.3 specifications. While explicit scope requests work as expected, using simplified scope configuration results in empty scopes being returned, rather than the expected intersection of available and requested scopes.

Expected behavior

When using simplified scope configuration (Cartesian product of scopes and resources), the system should:

  1. Process the simplified scopes (read, write) against the resource's defined scopes (shopping:read, shopping:write)
  2. Return the intersection of available and requested scopes when obtaining resource tokens
  3. Follow RFC 8707/RFC6749 Section 3.3 specifications for scope resolution

Example expected result for a user with role-based scopes [shopping:read, shopping:write]:

  • When requesting scopes [read, write], should return [shopping:read, shopping:write]

How to reproduce?

  1. Configure API resource with scopes shopping:read and shopping:write
  2. Create a role with scopes shopping:read and shopping:write
  3. Assign the role to a user
  4. Configure Logto client with simplified scopes:
export const logtoConfig = {
  scopes: ['read', 'write'],
  resources: ['https://shopping.your-app.com/api'],
};
  1. Initiate authentication flow
  2. Attempt to obtain resource token through /oidc/token endpoint using either:
    • grant_type: authorization_code
    • grant_type: refresh_token
  3. Observe that returned scopes are empty [] instead of the expected [shopping:read, shopping:write]

Context

  • Logto Cloud
  • Self-hosted, Logto version =
    • Container (Docker image)
    • Raw Node.js

Additional context

For comparison, when using explicit scope configuration, everything works as expected:

export const logtoConfig = {
  scopes: ['shopping:read', 'shopping:write'],
  resources: ['https://shopping.your-app.com/api'],
};

This configuration correctly returns the expected scopes based on user roles.

Test environment details:

  • Test Resource has scopes [shopping:read, shopping:write]
  • Test Role has scopes [shopping:read, shopping:write]
  • User has Test Role
  • Requested scopes during Auth phase: [read, write]

Doc Ref
configure-logto-client
@u0x01 u0x01 added the bug Something isn't working label Jan 5, 2025
@wangsijie wangsijie self-assigned this Jan 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wangsijie wangsijie

Labels
bug Something isn't working
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wangsijie @u0x01