Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token endpoint doesn't accept "scope" query parameter #3311

Open
3 of 6 tasks
minhnd410 opened this issue Oct 25, 2022 · 1 comment
Open
3 of 6 tasks

Token endpoint doesn't accept "scope" query parameter #3311

minhnd410 opened this issue Oct 25, 2022 · 1 comment
Labels
bug Something is not working.

Comments

@minhnd410
Copy link

minhnd410 commented Oct 25, 2022
edited
Loading

Preflight checklist

Describe the bug

POST request to the token endpoint does not accept "scope" query parameter. I did not find "scope" props in the request body in Ory docs > Reference > HTTP API, but RFC 6749 did have those props. Try to request an access token with narrower scope did not work and always return all scope.

Reproducing the bug

  1. docker-compose up

  2. Create the client

curl -XPOST --data '{
   "audience": ["browser-client"],
   "client_id": "browser-client",
   "client_secret": "browser-secret",
   "grant_types": ["authorization_code", "refresh_token"],
   "response_types": ["code"],
   "scope": "openid offline_access new_scope",
   "redirect_uris": ["http://127.0.0.1:5555/callback"],
   "token_endpoint_auth_method": "client_secret_post"
}' http://127.0.0.1:4445/clients | jq '.'
  1. Request login
curl --dump-header xcoivjuywkdkhvusuye3kch.header -XGET http://127.0.0.1:4444/oauth2/auth?response_type=code&client_id=browser-client&redirect_uri=http://127.0.0.1:5555/callback&scopes=openid+offline_access+new_scope&state=xcoivjuywkdkhvusuye3kchs
  1. Accept login_challenge
curl --silent -XPUT http://localhost:4445/oauth2/auth/requests/login/accept?login_challenge=ddf963d79eac4a5b9f143bedb60f148f -d '{
  "acr": "oauth2",
  "remember": false,
  "remember_for": 0,
  "subject": "[email protected]"
}' | jq '.'
  1. Accept consent_challenge
curl --silent -XPUT http://127.0.0.1:4445/oauth2/auth/requests/consent/accept?consent_challenge=5f349bd2bea341519752532fb5a6162e -d '{
  "grant_access_token_audience": [
    "browser-client"
  ],
  "grant_scope": [
    "openid", "offline_access", "new_scope"
  ],
  "handled_at": "2022-10-23T20:49:00Z",
  "remember": false,
  "remember_for": 0,
  "session": {
    "id_token": {
      "first_name": "Ha",
      "last_name": "Hahah"
    }
  }
}' | jq '.'
  1. Get set of access, refresh and id token
curl -sv -XPOST http://127.0.0.1:4444/oauth2/token --data 'grant_type=authorization_code&scope=openid+new_scope&code=nsKIP9CIbHT0GWVtfqBtRz6AQOXWEF1kvqzqAT2Ti2c.K64LNpoee1__QN_aK8r0H0gP4ly6sRaAanPaWPrWaG4&redirect_uri=http://127.0.0.1:5555/callback&client_id=browser-client&client_secret=browser-secret'
  1. Trying to obtain new access token (did not pass offline_access to scope)
curl -sv -XPOST http://127.0.0.1:4444/oauth2/token --data 'scope=new_scope&grant_type=refresh_token&refresh_token=-CAzco5HD8hAm-r2BShuSSrABiBmSEkixdFuSJHbR00.N_5QbSUJ4SVn3o-RyBfHJBUgEse-FEVKz7J4WW0S55A&client_id=browser-client'

But it returns a new refresh token and invalidates the previous one

{
  "access_token": "aaa",
  "expires_in": 3599,
  "id_token": "bbb",
  "refresh_token": "ccc",
  "scope": "openid offline_access new_scope",
  "token_type": "bearer"
}

Relevant log output

time=2022-10-24T19:36:17Z level=info msg=completed handling request func=github.com/ory/x/reqlog.(*Middleware).ServeHTTP file=/go/pkg/mod/github.com/ory/[email protected]/reqlog/middleware.go:139 http_request=map[headers:map[accept:application/json content-length:196 content-type:application/x-www-form-urlencoded user-agent:curl/7.79.1] host:127.0.0.1:4444 method:POST path:/oauth2/token query:<nil> remote:172.27.0.1:58026 scheme:http] http_response=map[headers:map[cache-control:no-store content-type:application/json;charset=UTF-8 pragma:no-cache] size:2552 status:200 text_status:OK took:161.040041ms]

Relevant configuration

docker-compose.yml

version: '3.9'
services:
    
    psql:
        image: postgres:13.2
        restart: unless-stopped
        environment:
            POSTGRES_USER: ory-user
            POSTGRES_PASSWORD: ory-pass
            POSTGRES_DB: ory-data
        ports:
            - 5432:5432
        networks:
            - ory
            
    hydra-migrate:
        depends_on:
            - psql
        image: oryd/hydra:v1.11.10
        restart: on-failure
        command:
            migrate -c /etc/config/hydra/hydra.yml sql -e --yes
        environment:
            DSN: postgres://ory-user:ory-pass@psql:5432/ory-data?sslmode=disable&max_conns=20&max_idle_conns=4
        volumes:
            -
                type: bind
                source: ./configs/hydra
                target: /etc/config/hydra
        networks:
            - ory

    hydra:
        depends_on:
            - hydra-migrate
        image: oryd/hydra:v1.11.10
        restart: unless-stopped
        command:
            serve -c /etc/config/hydra/hydra.yml all --dangerous-force-http
        environment:
            DSN: postgres://ory-user:ory-pass@psql:5432/ory-data?sslmode=disable&max_conns=20&max_idle_conns=4
            LOG_LEVEL: trace
        volumes:
            -
                type: bind
                source: ./configs/hydra
                target: /etc/config/hydra
        ports:
            - 4444:4444
            - 4445:4445
            - 5555:5555
        networks:
            - ory

networks:
    ory:

config/hydra/hydra.yml

serve:
    cookies:
        same_site_mode: Lax
  
urls:
    self:
        issuer: http://127.0.0.1:4444
    consent: http://127.0.0.1:3000/consent
    login: http://127.0.0.1:3000/login
    logout: http://127.0.0.1:3000/logout
  
secrets:
    system:
    - youReallyNeedToChangeThis

oidc:
    subject_identifiers:
        supported_types:
        - pairwise
        - public
        pairwise:
            salt: youReallyNeedToChangeThis

strategies:
    access_token: jwt
    scope: exact

tracing:
    provider: jaeger
    service_name: Hydra
    providers:
        jaeger:
            local_agent_address: jaeger:6831
            sampling:
                type: const
                value: 1
                server_url: http://jaeger:5778/sampling



### Version

1.11.10

### On which operating system are you observing this issue?

macOS

### In which environment are you deploying?

Docker Compose

### Additional Context

_No response_
@minhnd410 minhnd410 added the bug Something is not working. label Oct 25, 2022
@aeneasr
Copy link
Member

aeneasr commented Oct 25, 2022

Probably related to: ory/fosite#698 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aeneasr @minhnd410