Missing client specific scope (grants) in UserinfoController

[typoworx-de]

Great work and thanks for sharing these great oauth with the community.

I'm struggling with a problem and I'm not shure if this is configuration specific issue or a bug. I got oAuth & Authentification agains frontend-user working.

Doing the call to /oauth2/userinfo works as well, but it gives me only {"sub": 10} (FE-User uid). In the client record I configured the following allowed_scopes: profile, email, openid.

So I would expect these scope/grants are respected. But for some reason the $scopes in UserinfoController are an empty array missing all the grants from client-record.

Is this a bug in UserinfoController or a misconfiguration?

[r3h6]

As far as I know the underlying library respects the scopes submitted in the token. These scopes must be requested already in very beginning of the authorization flow.
At least in my local setup the endpoint returns the data from the fe_user.

Maybe enable debug logs gives you a better insight:

$GLOBALS['TYPO3_CONF_VARS']['LOG']['R3H6']['Oauth2Server']['writerConfiguration'] = [
    \TYPO3\CMS\Core\Log\LogLevel::DEBUG => [
        \TYPO3\CMS\Core\Log\Writer\FileWriter::class => [
            // 'logFile' => 'typo3temp/logs/oidc.log'
        ],
    ],
];

$GLOBALS['TYPO3_CONF_VARS']['LOG']['R3H6']['OidcServer']['writerConfiguration'] = [
    \TYPO3\CMS\Core\Log\LogLevel::DEBUG => [
        \TYPO3\CMS\Core\Log\Writer\FileWriter::class => [
            // 'logFile' => 'typo3temp/logs/oidc.log'
        ],
    ],
];