MDL-70268 core: Update the oauthlib to exclude scope if none provided

moodle · Mar 3, 2021 · ff411be · ff411be
1 parent 4652b66
commit ff411be
Showing 1 changed file with 15 additions and 7 deletions.
diff --git a/lib/oauthlib.php b/lib/oauthlib.php
@@ -511,14 +511,22 @@ public function get_additional_login_parameters() {
     public function get_login_url() {
 
         $callbackurl = self::callback_url();
+        $defaultparams = [
+            'client_id' => $this->clientid,
+            'response_type' => 'code',
+            'redirect_uri' => $callbackurl->out(false),
+            'state' => $this->returnurl->out_as_local_url(false),
+
+        ];
+        if (!empty($this->scope)) {
+            // The scope should only be included if a value is set.
+            // If none provided, the server MUST process the request and provide an appropriate documented response.
+            // See spec https://tools.ietf.org/html/rfc6749#section-3.3
+            $defaultparams['scope'] = $this->scope;
+        }
+
         $params = array_merge(
-            [
-                'client_id' => $this->clientid,
-                'response_type' => 'code',
-                'redirect_uri' => $callbackurl->out(false),
-                'state' => $this->returnurl->out_as_local_url(false),
-                'scope' => $this->scope,
-            ],
+            $defaultparams,
             $this->get_additional_login_parameters()
         );