-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The scope
parameter has been mistakenly required on device access token request
#1411
Comments
@Sephster would you please take a look? it seems to be a bug. |
Does indeed look to be a bug. Thanks for spotting this. I'm tied up the next few days but will get to this early next week. Cheers @hafezdivandari |
This was referenced May 30, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On device authorization flow, according to RFC8628, the "Device Access Token Request" should send these parameters:
grant_type
device_code
client_id
As you can see there is no
scope
parameter, because the scope parameter had been sent on the first step "Device Authorization Request":client_id
scope
The scopes are requested by the client on the first request and should be persisted on the DB. When user enters the
user code
we display the client info and list of scopes to be approved by user. So the client shouldn't specify scopes on the last request, but the current implementation requiresscopes
onDeviceCodeGrant::respondToAccessTokenRequest()
mistakenly:oauth2-server/src/Grant/DeviceCodeGrant.php
Lines 140 to 141 in 2ed9e5f
I think you should get the scopes from
$deviceCodeEntity
instead, which was persisted on the DB.Am I missing something?
The text was updated successfully, but these errors were encountered: