Describe the bug
The token endpoint response includes a non-standard "user" field containing personally identifiable information (PII) such as the user's email, name, and ID:
# app/oauth/views/token.py line 82
res = {
"access_token": oauth_token.access_token,
"token_type": "Bearer",
"expires_in": 3600,
"scope": auth_code.scope,
"user": user_data, # todo: remove this
}Per RFC 6749 Section 5.1, the standard token response fields are strictly limited to access_token, token_type, expires_in, refresh_token, and scope. Including PII in the token response means that any party or network observer that can see the token exchange will also receive the user's PII, even if they only requested an access token.
The inline comment # todo: remove this indicates this was already identified as technical debt to be cleaned up.
Expected behavior
Remove the "user" field from the token response dictionary. Clients requiring user information should fetch it via the standard /oauth2/userinfo endpoint using the issued access token.
Additional context
File: app/oauth/views/token.py line 82.
Describe the bug
The token endpoint response includes a non-standard
"user"field containing personally identifiable information (PII) such as the user's email, name, and ID:Per RFC 6749 Section 5.1, the standard token response fields are strictly limited to access_token, token_type, expires_in, refresh_token, and scope. Including PII in the token response means that any party or network observer that can see the token exchange will also receive the user's PII, even if they only requested an access token.
The inline comment # todo: remove this indicates this was already identified as technical debt to be cleaned up.
Expected behavior
Remove the "user" field from the token response dictionary. Clients requiring user information should fetch it via the standard /oauth2/userinfo endpoint using the issued access token.
Additional context
File: app/oauth/views/token.py line 82.