Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Why are scope query params used at the token endpoint?
See original GitHub issueWhen grant_type is authorization_code and refresh_token the scope was declared in the auth request, and is already associated with the token, hence token.code should be used to create the id token, not self.params['scope']. See https://github.com/juanifioren/django-oidc-provider/blob/v0.5.x/oidc_provider/lib/endpoints/token.py#L203
Issue Analytics
- State:
- Created 6 years ago
- Reactions:1
- Comments:9 (3 by maintainers)
Top Results From Across the Web
Use the Scope URL Parameter - Salesforce Help
Allows access to the current, logged in user's unique identifier for OpenID Connect apps. In the OAuth 2.0 user-agent flow and the OAuth...
Read more >Working with OAuth2 scopes | Apigee Edge
If they do, then an access token is generated with scope "A". Another way to look at this is that the scope query...
Read more >Obtaining Access Token with Scope - API Public Doc
The level of access granted to an access token can be restricted by defining scope in the query parameter that is used to...
Read more >Working with OAuth2 scopes | Apigee X - Google Cloud
Because the scope query parameter is included, Apigee needs to decide if any of the API products associated with the developer app have...
Read more >Token endpoint doesn't accept "scope" query parameter #3311
POST request to the token endpoint does not accept "scope" query parameter. I did not find "scope" props in the request body in...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Yep, for the password grant type it seems to be correct to use the scope provided to the token endpoint. Only problem with that in the current implementation is that the scope parameter is not splitted correctly when passed to create_id_token, i.e.
"openid email"is being passed but correct would be["openid", "email"].I can agree. Scope should be taken from first auth request, when checking consents. Can You provide some PR with tests for this ? If not, I will fix this asap and ask @juanifioren to release this security fix