Skip to content
Snippets Groups Projects

Issue #3495325: Limit the allowed scopes by default scopes via the consumer for the client credentials grant type

Merged Issue #3495325: Limit the allowed scopes by default scopes via the consumer for the client credentials grant type
issue/simple_oauth-3495325:3495325-no-way-to into 6.0.x
Merged Bojan Bogdanovic requested to merge issue/simple_oauth-3495325:3495325-no-way-to into 6.0.x
Compare
and
4 files
+ 85
8
Compare changes
  • Side-by-side
  • Inline
Files
4
src/Controller/Oauth2Token.php
+ 12
0
@@ -113,6 +113,8 @@ class Oauth2Token extends ControllerBase {
$server_request = $this->httpMessageFactory->createRequest($request);
$server_response = new Response();
$client_id = $request->get('client_id');
$grant_type = $request->get('grant_type');
$scopes = $request->get('scope');
$lock_key = $this->createLockKey($request);
@@ -135,6 +137,16 @@ class Oauth2Token extends ControllerBase {
}
$client_drupal_entity = $client_entity->getDrupalEntity();
// Omitting scopes is not allowed when dealing with client_credentials
// and no default scopes are set.
if (
$grant_type === 'client_credentials' &&
empty($scopes) &&
$client_drupal_entity->get('scopes')->isEmpty()
) {
throw OAuthServerException::invalidRequest('scope');
}
// Respond to the incoming request and fill in the response.
$server = $this->authorizationServerFactory->get($client_drupal_entity);
$response = $server->respondToAccessTokenRequest($server_request, $server_response);