Scope parameter should not be sent when undefined #98

FMCorz · 2019-02-14T03:25:51Z

When the scope is undefined, its parameter is still set and send through as an empty string. The RFC states that the scope parameter can be omitted. I suggest that an undefined scope should not be attached to the request as an empty string.

If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope.

https://tools.ietf.org/html/rfc6749#section-3.3

If `scopes` is set to `""` or `[]` then we should send an empty string. If `scopes` is undefined (not set), then we don't send it at all.

…ulesoft-labs#154) If `scopes` is set to `""` or `[]` then we should send an empty string. If `scopes` is undefined (not set), then we don't send it at all.

postatum mentioned this issue Jul 27, 2020

Fixes #98: Do not send empty scopes to an auth server #154

Merged

postatum self-assigned this Jul 27, 2020

postatum added the enhancement label Jul 27, 2020

postatum closed this as completed in #154 Aug 3, 2020

postatum added a commit that referenced this issue Aug 3, 2020

Fixes #98: Do not send empty scopes to an auth server (#154)

a237644

If `scopes` is set to `""` or `[]` then we should send an empty string. If `scopes` is undefined (not set), then we don't send it at all.

postatum mentioned this issue Aug 3, 2020

Release 4.3.3 #156

Merged

mbrinkl mentioned this issue Jun 5, 2023

can't remove scope from request soofstad/react-oauth2-pkce#96

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Scope parameter should not be sent when undefined #98

Scope parameter should not be sent when undefined #98

FMCorz commented Feb 14, 2019

Scope parameter should not be sent when undefined #98

Scope parameter should not be sent when undefined #98

Comments

FMCorz commented Feb 14, 2019