This repository has been archived by the owner on Jun 1, 2023. It is now read-only.
Empty scope in Token Exchange response #60
Comments
|
Interesting! I think that in most cases leaving out scope is interpreted as a scope with no value. But if you look at the definition of scope (RFC6749 section 3.3) it says: Which means if I remember my ABNF right, that scope="" is NOT permitted. |
|
Begs the question why would you issue an access token with no scope ? |
|
I guess there is no reasonable usage of an access token with no scope, so maybe we should just leave oidcmsg as is and raise an appropriate error in oidcop. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hello,
We are facing a situation in our implementation of Token Exchange where the client's requested scope is filtered out to an empty list as a result of applying specific policy restrictions.
I.e the CLIENT_A asks to exchange an access token with another access token by setting a specific set of scopes in the Token Exchange request. However the configured token exchange policy restricts the specific client from asking all the requested scopes.
According to RFC8693 for a successful Token Exchange response:
In addition according to RFC6749 regarding the Access Token Scope:
Based on the references above I think it is rational to permit empty string as a legitimate scope in the Exchange Token and (?) Access Token responses. Any comments?
The text was updated successfully, but these errors were encountered: