Simple OAuth module strives for compatibility with RFC 6749, et. al., the OAuth 2.0 standard. The majority of spec compliance is accomplished by our use of the league/oauth2-server library, however the Drupal module makes some local decisions, e.g. when naming JWT token claims.
Simple OAuth 5.2.0 includes changes to the module's behavior which may break compatibility with clients that depend on the previously incorrect or ambiguous implementation.
Specifically:
- #3193609: invalid_credentials error does not conform to OAuth2 spec. incorporates a change from upstream where incorrect client credentials previously returned an
invalid_credentialserror, instead of the spec-compliantinvalid_grant. The naming is confusing, yes, but the reasoning for this are explained in depth in the PR notes, and spec-compliant clients should respect this. - This module provides JWT tokens for client authentication, which includes a claim to attest to the scopes provided by the token. #3247846: [BC break] Rename scopes to scope in JWT payload changes the previous
scopesclaim to now bescope, without the plural S. The OAuth 2 RFC is silent on this question, because auth tokens need not be JWTs. However, RFC 8693 (token exchange) registered thescopeclaim name in the IANA claim name registry and this is consistent with the spelling of the query parameter and response parameter.
These changes are unlikely to affect the vast majority of site owners using OAuth 2.0 authentication flows. However, before upgrading to 5.2.x, review your clients and authorization models across potentially affected systems. If you use JWT tokens issued by Drupal to grant access to other systems which rely on the scope claim, you may need to change code in the relying system. An alternative would be to override AccessTokenEntity::convertToJWT() to retain the existing claim name.
