-
Notifications
You must be signed in to change notification settings - Fork 368
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC scopes are in the response when requesting access token with client credentials #2033
Conversation
…ess token with client credential
|
…ting access token with client credential
String[] scopes = (String[]) ArrayUtils.removeElement(tokReqMsgCtx.getScope(), OAuthConstants.Scope.OPENID); | ||
|
||
//Get all the registered oidc scopes of a tenant | ||
List<String> oidcScopes = OAuth2Util.getOIDCScopes(tokReqMsgCtx.getOauth2AccessTokenReqDTO() | ||
.getTenantDomain()); | ||
|
||
//Check whether the is there any oidc scope in the request | ||
for (String scope : scopes) { | ||
if (oidcScopes.contains(scope)) { | ||
scopes = (String[]) ArrayUtils.removeElement(scopes, scope); | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we improve this logic to filter the OIDC scopes at once without repeatedly removing the oidc scopes one by one?
// Remove openid scope from the token message context. | ||
String[] scopes = (String[]) ArrayUtils.removeElement(tokReqMsgCtx.getScope(), OAuthConstants.Scope.OPENID); | ||
|
||
//Get all the registered oidc scopes of a tenant |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
//Get all the registered oidc scopes of a tenant | |
// Get all the registered OIDC scopes of a tenant. |
Follow the correct formatting for comments
.collect(Collectors.toList()); | ||
|
||
tokReqMsgCtx.setScope(filteredScopes.toArray(new String[0])); | ||
|
||
if (log.isDebugEnabled()) { | ||
log.debug("id_token is not allowed for requested grant type: " + grantType + ". Removing 'openid' " + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shall we modify this debug log
PR builder started |
String[] scopes = (String[]) ArrayUtils.removeElement(tokReqMsgCtx.getScope(), OAuthConstants.Scope.OPENID); | ||
tokReqMsgCtx.setScope(scopes); | ||
//Remove OIDC scopes from the token message context | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR builder completed |
...dentity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/OIDCScopeHandler.java
Outdated
Show resolved
Hide resolved
PR builder started |
PR builder completed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/5419309519
…o2/carbon/identity/oauth2/validators/OIDCScopeHandler.java
Improve the debug log
Issue
OIDC scopes are in the response when requesting access token with client credentials #15486( Fixes wso2/product-is#15486) - When requesting access token request with client credentials grant type including OIDC scopes, there are OIDC scopes in the response such as "email", "profile", "phone". These scopes shouldn't be there in the response.
Approach
The logic for this part is in the "validateScope" method at the "OIDCScopeHandler.java" class
Goal
OIDC scopes should not be in the response.