Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
ImplicitGrant finalizes scopes without user identifier #923
This PR fixes #737 and #786.
In the Implicit Grant, the scopes were previously finalized before the AuthorizationRequest was even created: this allowed for no changes to the scopes before creating the access token, and made it impossible to finalize the scopes depending upon the user ID (#737).
To adhere to the documentation, the scopes should be finalized right before the access token is issued.
Beware: this may be a breaking change for some implementations (although it shouldn't). Although the tests didn't need any changing (except for passing in a new mock function, which is accessible in real situations anyway), it may still break active implementations.
All tests ran fine, and code coverage was the same.
This looks good to me. I think there is a change in performance here as we are moving the finalize scopes to a later stage in the process but I don't think this is of too much concern and don't think it constitutes as a BC breaking change so happy to include it in this version. Thanks for your efforts here.