Describe the bug
The scope parameter from the authorization request is stored verbatim into the AuthorizationCode and propagated to the token without any validation against what the client is registered/allowed to request.
In app/oauth/views/authorize.py (approx line 52):
scope = request.args.get("scope")
# ... later ...
AuthorizationCode.create(..., scope=scope, ...)A client registered for limited scopes (e.g., openid) can request broader scopes (e.g., openid email name profile) in the authorization URL, and the server will grant them without checking against the client's allowed scope list. RFC 6749 Section 3.3 requires the authorization server to validate the requested scope.
Expected behavior
The authorization endpoint should validate that the requested scope is a subset of the client's registered/allowed scopes. If the client requests unauthorized scopes, the server should either reject the request with invalid_scope or silently drop the unauthorized scopes and proceed with the allowed ones.
Additional context
File: app/oauth/views/authorize.py around line 52.
Describe the bug
The
scopeparameter from the authorization request is stored verbatim into theAuthorizationCodeand propagated to the token without any validation against what the client is registered/allowed to request.In
app/oauth/views/authorize.py(approx line 52):A client registered for limited scopes (e.g.,
openid) can request broader scopes (e.g.,openid email name profile) in the authorization URL, and the server will grant them without checking against the client's allowed scope list. RFC 6749 Section 3.3 requires the authorization server to validate the requested scope.Expected behavior
The authorization endpoint should validate that the requested
scopeis a subset of the client's registered/allowed scopes. If the client requests unauthorized scopes, the server should either reject the request withinvalid_scopeor silently drop the unauthorized scopes and proceed with the allowed ones.Additional context
File: app/oauth/views/authorize.py around line 52.