Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oauth2: Reject authorization requests for invalid scopes before redirecting to consent endpoint #776

Closed
aeneasr opened this issue Feb 9, 2018 · 1 comment
Closed

oauth2: Reject authorization requests for invalid scopes before redirecting to consent endpoint #776

aeneasr opened this issue Feb 9, 2018 · 1 comment
Assignees
@aeneasr
Labels
breaking change Changes behavior in a breaking manner. feat New feature or request. package/oauth2 upstream Issue is caused by an upstream dependency.
Milestone
1.0.0-alpha.1

Comments

@aeneasr
Copy link
Member

aeneasr commented Feb 9, 2018

Currently, authorization requests fail when a client is being granted scopes that the client is not allowed to request - after consent.

We should add an additional check that makes sure that the client isn't able to request scopes he isn't allowed to request before doing consent.

We should keep the check after consent as well to make sure he wasn't accidentally granted scopes he isn't allowed to request.
@aeneasr aeneasr self-assigned this Feb 9, 2018
@aeneasr aeneasr added this to the 1.0.0 milestone Feb 9, 2018
@aeneasr aeneasr added feat New feature or request. upstream Issue is caused by an upstream dependency. package/oauth2 labels Feb 9, 2018
@aeneasr aeneasr modified the milestones: 1.0.0, 1.0.0-alpha.1 Feb 9, 2018
@aeneasr aeneasr added the breaking change Changes behavior in a breaking manner. label Feb 9, 2018
@aeneasr
Copy link
Member Author

aeneasr commented May 8, 2018

This is still an issue in the 1.0.0 branch

aeneasr pushed a commit that referenced this issue May 20, 2018
oauth2: Rejects reqeuests with insufficient permissions
f619bf8 
Currently, authorization requests fail when a client is being granted scopes that the client is not allowed to request - after consent.

We should add an additional check that makes sure that the client isn't able to request scopes he isn't allowed to request before doing consent.

We should keep the check after consent as well to make sure he wasn't accidentally granted scopes he isn't allowed to request.

This patch resolves the addressed issue

Closes #776
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aeneasr aeneasr

Labels
breaking change Changes behavior in a breaking manner. feat New feature or request. package/oauth2 upstream Issue is caused by an upstream dependency.
Projects
None yet
Milestone
1.0.0-alpha.1
Development

No branches or pull requests
1 participant
@aeneasr