Skip to content

Authorize request should fail if scope request parameter is not provided #289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Authorize request should fail if scope request parameter is not provided #289

wants to merge 1 commit into from

Conversation

anoopgarlapati
Copy link
Contributor

Closes gh-288

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 11, 2021
@wsaca
Copy link

wsaca commented May 11, 2021

If this PR is applied, how could we customize the access token to add default scopes? For example, based on the user who was logged in.

@anoopgarlapati
Copy link
Contributor Author

@wsaca As noted in the issue description #288, authorization server must either reject a request without scope parameter or accept the request with a pre-defined set of scopes. The current behavior provided in the project is neither. As a result this PR will change the default behavior to reject such a request which is what providers such as Okta do.
Also as noted

Ability to customize this default behavior for using a pre-defined value as an alternative behavior suggested in the spec would be provided by custom configuration that would be delivered in #139.

So, the ability to switch this behavior to use a pre-defined value (based on user profile, client profile, etc) would be provided as customization hook in #139.
@jgrandja Can you please chime in here?

@jgrandja
Copy link
Collaborator

@wsaca

How could we customize the access token to add default scopes? For example, based on the user who was logged in.

The existing OAuth2TokenCustomizer (gh-199) would allow you to customize the scopes based on the user who was logged in.

See example configuration:

https://github.com/spring-projects-experimental/spring-authorization-server/blob/93d16d4419440be4b89e0ff92ec267bf26db1a02/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java#L381

@jgrandja jgrandja mentioned this pull request May 19, 2021
Closed
6 tasks
@jgrandja jgrandja self-assigned this May 20, 2021
@jgrandja jgrandja added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels May 20, 2021
@jgrandja jgrandja added this to the 0.1.2 milestone May 20, 2021
@jgrandja jgrandja mentioned this pull request Jun 9, 2021
Closed
@anoopgarlapati
Copy link
Contributor Author

Closing as this is not needed anymore. See #288 (comment) in the issue.

@anoopgarlapati anoopgarlapati deleted the gh-288-authorize-request-scope branch June 11, 2021 13:05
@jgrandja jgrandja added the status: declined A suggestion or change that we don't feel we should currently apply label Jun 11, 2021
@jgrandja jgrandja removed this from the 0.1.2 milestone Jun 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jgrandja jgrandja

Labels
status: declined A suggestion or change that we don't feel we should currently apply type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The authorize request should fail if scope request parameter is not provided
4 participants
@anoopgarlapati @wsaca @jgrandja @spring-projects-issues