Problem/Motivation

Currently in v6 the Consumer form only lets you specify default scopes for the consumer if the client_credentials grant type is enabled. But default scopes are granted for any authorization request, regardless of the grant type, when no specific scope is requested.

I believe this is the relevant part of the OAuth2 spec: https://datatracker.ietf.org/doc/html/rfc6749#section-3.3

If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).

Scope clarified in #13

Limiting the allowed scopes only makes sense for client credentials. For more information, see: https://www.drupal.org/project/simple_oauth/issues/3495325

Client credentials can both limit allowed scopes and provide default scopes. Because of this, we can’t make the existing scope field generic, since a consumer may have multiple grant types enabled with different scope policies. Therefore, we need to introduce a dedicated scopes field on the consumer for the authorization code.

Regarding failing the authorization request when at least one scope is not provided, either by the request or by the default scope set on the consumer, this is a valid approach for the authorize controller.

Steps to reproduce

Try to add default scopes to a consumer without the client credentials grant

Proposed resolution

Allow setting default scopes on consumers regardless of selected grant types

Remaining tasks

Implement

User interface changes

Default scopes are always shown in Consumer form

API changes

None

Data model changes

None

CommentFileSizeAuthor
#4 default-scopes-after.png120.33 KBpaul121

Issue fork simple_oauth-3398468

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

paul121 created an issue. See original summary.

paul121’s picture

paul121 commented
Title: Allow consumer scopes to be set regardless of grant type » Allow default scopes to be set regardless of grant type

paul121 opened merge request !111

paul121’s picture

paul121 commented
StatusFileSize
new default-scopes-after.png120.33 KB

Attaching screenshot of what this looks like. The scopes field is available below the 3rd party/confidential fields, but before Redirect URIs.

paul121’s picture

paul121 commented
Status: Active » Needs review

bojan_dev made their first commit to this issue’s fork.

bojan_dev’s picture

bojan_dev commented
Status: Needs review » Needs work

I made a few changes to support the default scopes in all grant types. Remaining tasks:

  • Check if we still need the default scope logic in the ScopeRepository::finalizeScopes.
  • Add tests for all grant types.
kingdutch’s picture

kingdutch
he/him
Primary language English
commented

I just want to note that this is not a bug but rather a feature request (though I'll leave changing the category to others if you agree).

As already shown in the issue summary:

If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).

In the initial implementation we specifically chose to go for the "fail the request indicating an invalid scope" route.

In any change we make to this we should ensure that the module can be configured to disallow the use of default scopes and force clients to request some.

claudiu.cristea made their first commit to this issue’s fork.

claudiu.cristea’s picture

claudiu.cristea
Primary language Romanian
Location Arad 🇷🇴
commented
Status: Needs work » Needs review
claudiu.cristea’s picture

claudiu.cristea
Primary language Romanian
Location Arad 🇷🇴
commented

In one of our projects, we have a consumer factory and we need to assign scopes to consumers that have also the Authorization Code grant type. Client should not be aware of scopes when performing the request because scopes should be already contained in the consumer. This issue is allowing that (I think in earlier versions of the module this was possible as I saw in one of the YouTube tutorials).

Regarding the failing test, I'm not sure what is the expectancy.

Given this requirement...

If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).

I think we should fail when at least one scope is not provided either by request, or as default scope set in the consumer. Or I'm missing something?

claudiu.cristea’s picture

claudiu.cristea
Primary language Romanian
Location Arad 🇷🇴
commented

Of course, some tests are failing now. With client_credentials grant type, if the scopes were already configured in the consumer, it was not possible to pass an additional one in request. But authorization_code didn't had this constraint. If we apply the same policy to authorization_code I don't think it is a BC break, as, until now, it wasn't possible to store scopes inside consumer for this grant type.

This needs to get some feedback from the maintainers.

bojan_dev’s picture

bojan_dev commented
Status: Needs review » Needs work

Limiting the allowed scopes only makes sense for client credentials. For more information, see: https://www.drupal.org/project/simple_oauth/issues/3495325

Client credentials can both limit allowed scopes and provide default scopes. Because of this, we can’t make the existing scope field generic, since a consumer may have multiple grant types enabled with different scope policies. Therefore, we need to introduce a dedicated scopes field on the consumer for the authorization code.

Regarding failing the authorization request when at least one scope is not provided, either by the request or by the default scope set on the consumer, this is a valid approach for the authorize controller.

claudiu.cristea’s picture

claudiu.cristea
Primary language Romanian
Location Arad 🇷🇴
commented

Regarding failing the authorization request when at least one scope is not provided, either by the request or by the default scope set on the consumer, this is a valid approach for the authorize controller.

This means default scopes will be merged with scopes passed to request in order to get the final request scopes?

bojan_dev’s picture

bojan_dev commented

This means default scopes will be merged with scopes passed to request in order to get the final request scopes?

I wouldn’t merge it; this way, authorization can be requested with fewer scopes than the default if needed.

claudiu.cristea’s picture

claudiu.cristea
Primary language Romanian
Location Arad 🇷🇴
commented
Issue summary: View changes

Updating the IS after clarified the scope of this issue in #13.

More discussions took place on Slack, see https://drupal.slack.com/archives/C1BMUQ9U6/p1757918379890819

saidatom made their first commit to this issue’s fork.

dimilias’s picture

dimilias commented
Status: Needs work » Reviewed & tested by the community

I have reviewed the patch and works fine. I do not like the redundant comments like "Log in the user" but I see that all tests are like that so it is fine to stay for consistency even if it is unumbered.

bojan_dev’s picture

bojan_dev commented
Status: Reviewed & tested by the community » Needs work
saidatom’s picture

saidatom
Location Lisbon
commented
Status: Needs work » Needs review
bojan_dev’s picture

bojan_dev commented
Status: Needs review » Needs work
saidatom’s picture

saidatom
Location Lisbon
commented
Status: Needs work » Needs review
huzooka’s picture

huzooka
Primary language Hungarian
Location Hungary 🇭🇺🇪🇺
commented
Status: Needs review » Reviewed & tested by the community

The only thing that bothers me is that the word "creds" had to be taken into CSpell ignore while it is only used in tests/src/Functional/AuthCodeFunctionalTest.php , in the name of a variable and also in a test entity's ID.

At the same time, as far as I understand, all the points raised by @bojan_dev are addressed. I give an RTBC in advance but let him decide about the next steps here.

bojan_dev’s picture

bojan_dev commented
Status: Reviewed & tested by the community » Needs work
saidatom’s picture

saidatom
Location Lisbon
commented
Status: Needs work » Needs review
bojan_dev’s picture

bojan_dev commented

I simplified the loadByGrantType() implementation since the code felt a bit overcomplicated. We only need to load scopes for one grant type anyway, so this should be the final step. If someone could take a look at my last commit, we can go ahead and merge it.

saidatom’s picture

saidatom
Location Lisbon
commented
Status: Needs review » Reviewed & tested by the community

Looks good move to RTBC.

  • bojan_dev committed e5ea7148 on 6.0.x authored by paul121 
    [#3398468] feat: Allow default scopes to be set regardless of grant type...
bojan_dev’s picture

bojan_dev commented
Status: Reviewed & tested by the community » Fixed

Thank you all for your contributions!

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

claudiu.cristea’s picture

claudiu.cristea
Primary language Romanian
Location Arad 🇷🇴
commented

Nice to see this completed. Thanks to all involved

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.