Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The token request should not include the scope parameter #130

Merged
merged 4 commits into from
Dec 12, 2023
Merged

The token request should not include the scope parameter #130

merged 4 commits into from
Dec 12, 2023

Conversation

anthony-vito
Copy link
Contributor

The scope parameter is not indicated in RFC7636 for inclusion in the token request. It should be removed as it causes issues with strict IDP implementations.

What does this pull request change?

Removes "scope" parameter from token request

Why is this pull request needed?

Including "scope" is a specification violation

Issues related to this change

#129

@soofstad
Copy link
Owner

soofstad commented Dec 6, 2023

Good stuff! 👍
Just want to add that "Including "scope" is a specification violation" is not really the reason to cut this. The package quite often goes outside the spec to try and make the flow work with "non-rfc-compliant-IDP"'s.

But now that we have one example of an IDP that will fail with "scope" in, and non that require "scope" to be there. I'd say it's safe to remove it.

@soofstad soofstad self-requested a review December 6, 2023 19:10
soofstad
soofstad requested changes Dec 6, 2023
View reviewed changes
src/authentication.ts Show resolved Hide resolved
@soofstad soofstad linked an issue Dec 8, 2023 that may be closed by this pull request
💡 [REQUEST] - Scope parameter is not supported on an authorization code access_token exchange request #129
Closed
@soofstad soofstad force-pushed the bugfix/remove-scope-from-token-request branch from ecf0a0e to 32dbb28 Compare December 8, 2023 07:50
@anthony-vito @soofstad
The token request should not include the scope parameter
07bbe85 
The scope parameter is not indicated in RFC7636 for inclusion
in the token request. It should be removed as it causes issues
with strict IDP implementations.
@anthony-vito @soofstad
Remove the scope from the base type for token requests.
fb9ad4c
@soofstad soofstad force-pushed the bugfix/remove-scope-from-token-request branch from 32dbb28 to fb9ad4c Compare December 8, 2023 07:52
@soofstad
Copy link
Owner

soofstad commented Dec 8, 2023
edited
Loading

I saw the tests had not ran. So I fixed that and rebased your branch. You can now see that they fail.
Note that "scope" should be allowed in the refresh request.

@anthony-vito
Copy link
Contributor Author

I moved the optional scope field to the token refresh request type to correct that. I also updated the test data since the scope parameter is no longer sent in the token request.

soofstad
soofstad approved these changes Dec 12, 2023
View reviewed changes
Copy link
Owner

@soofstad soofstad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thanks for the contribution

@soofstad soofstad merged commit 84baba8 into soofstad:main Dec 12, 2023
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sebastianvitterso sebastianvitterso sebastianvitterso left review comments

@soofstad soofstad soofstad approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

💡 [REQUEST] - Scope parameter is not supported on an authorization code access_token exchange request
3 participants
@anthony-vito @soofstad @sebastianvitterso