diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java index 2be1d5de1..c0ef68673 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java @@ -349,10 +349,16 @@ private void validateAuthorizationRequest(OAuth2AuthorizationRequestContext auth return; } - // scope (OPTIONAL) + // scope (REQUIRED) + // If the client omits the scope parameter when requesting + // authorization, the authorization server MUST either process the + // request using a pre-defined default value or fail the request + // indicating an invalid scope. The authorization server SHOULD + // document its scope requirements and default value (if defined). + // TODO Allow configuration for scope request parameter behavior Set requestedScopes = authorizationRequestContext.getScopes(); Set allowedScopes = registeredClient.getScopes(); - if (!requestedScopes.isEmpty() && !allowedScopes.containsAll(requestedScopes)) { + if (requestedScopes.isEmpty() || !allowedScopes.containsAll(requestedScopes)) { authorizationRequestContext.setError( createError(OAuth2ErrorCodes.INVALID_SCOPE, OAuth2ParameterNames.SCOPE)); return; diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java index c1ad437cf..a75550d5f 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java @@ -284,6 +284,21 @@ public void doFilterWhenAuthorizationRequestInvalidResponseTypeThenUnsupportedRe request -> request.setParameter(OAuth2ParameterNames.RESPONSE_TYPE, "id_token")); } + // gh-288 + @Test + public void doFilterWhenAuthorizationRequestMissingScopeThenInvalidScopeError() throws Exception { + RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build(); + when(this.registeredClientRepository.findByClientId((eq(registeredClient.getClientId())))) + .thenReturn(registeredClient); + + doFilterWhenAuthorizationRequestInvalidParameterThenRedirect( + registeredClient, + OAuth2ParameterNames.SCOPE, + OAuth2ErrorCodes.INVALID_SCOPE, + DEFAULT_ERROR_URI, + request -> request.removeParameter(OAuth2ParameterNames.SCOPE)); + } + @Test public void doFilterWhenAuthorizationRequestInvalidScopeThenInvalidScopeError() throws Exception { RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();