You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On device authorization flow, according to RFC8628, the "Device Access Token Request" should send these parameters:
grant_type
device_code
client_id
As you can see there is no scope parameter, because the scope parameter had been sent on the first step "Device Authorization Request":
client_id
scope
The scopes are requested by the client on the first request and should be persisted on the DB. When user enters the user code we display the client info and list of scopes to be approved by user. So the client shouldn't specify scopes on the last request, but the current implementation requires scopes on DeviceCodeGrant::respondToAccessTokenRequest() mistakenly:
I think you should get the scopes from $deviceCodeEntity instead, which was persisted on the DB.
-$scopes = $this->validateScopes($this->getRequestParameter('scope', $request, $this->defaultScope));
$deviceCodeEntity = $this->validateDeviceCode($request, $client);
+$scopes = $deviceCodeEntity->getScopes(); // no need to call `validateScope` because already done on `respondToDeviceAuthorizationRequest` before persisting to DB
Am I missing something?
The text was updated successfully, but these errors were encountered:
On device authorization flow, according to RFC8628, the "Device Access Token Request" should send these parameters:
grant_type
device_code
client_id
As you can see there is no
scope
parameter, because the scope parameter had been sent on the first step "Device Authorization Request":client_id
scope
The scopes are requested by the client on the first request and should be persisted on the DB. When user enters the
user code
we display the client info and list of scopes to be approved by user. So the client shouldn't specify scopes on the last request, but the current implementation requiresscopes
onDeviceCodeGrant::respondToAccessTokenRequest()
mistakenly:oauth2-server/src/Grant/DeviceCodeGrant.php
Lines 140 to 141 in 2ed9e5f
I think you should get the scopes from
$deviceCodeEntity
instead, which was persisted on the DB.Am I missing something?
The text was updated successfully, but these errors were encountered: