Don't issue tokens that have no scope #7

jamietanna · 2020-06-26T16:18:40Z

It appears that not providing a scope parameter returns different results based on which flow you're going through.

I used the following authorization URL:

https://indieauth.com/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback&client_id=https%3A%2F%2Fwww-editor.jvt.me&state=production&response_type=code&me=https://www.jvt.me

After validating the authorization code:

{
    "me": "https://www.jvt.me/",
    "scope": null
}

After exchanging the authorization code:

{
    "me": "https://www.jvt.me/",
    "scope": "",
    "access_token": "(REDACTED)",
    "token_type": "Bearer"
}

And the body of the access token JWT:

{
  "typ": "JWT",
  "alg": "HS256"
}
{
  "me": "https://www.jvt.me/",
  "issued_by": "https://tokens.indieauth.com/token",
  "client_id": "https://www-editor.jvt.me",
  "issued_at": 1593188046,
  "scope": "",
  "nonce": 905775930
}

The text was updated successfully, but these errors were encountered:

aaronpk · 2020-06-26T16:25:38Z

hm, I think tokens.indieauth.com should probably just not issue a token that has no scope. I'm going to move this issue to that repo.

aaronpk transferred this issue from aaronpk/IndieAuth.com Jun 26, 2020

aaronpk changed the title ~~Bug: inconsistency between scope handling for authorization code verification and authorization code exchange~~ Don't issue tokens that have no scope Jun 26, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Don't issue tokens that have no scope #7

Don't issue tokens that have no scope #7

Don't issue tokens that have no scope #7

Don't issue tokens that have no scope #7

Comments