OAuth2: Responding to token request when requested scopes differ

Hi, looking for opinions on an scenario of authentication with oAuth2.
I am using the grant_type of ‘client_credentials’ in the mezzio-authentication-oauth2 library.

When requesting a token, the client includes the scope in the request.
The server then response with the token_type, expires_in, and the access_token.

But what happens if the scope requested differs from what is permitted?

For example:
A client has been granted access to scope “scope1”, but requests “scope1 scope2”

    "grant_type": "client_credentials",
    "client_id" : "test",
    "client_secret" : "test_secret",
    "scope" : "scope1 scope2"

The server responds with the expected fields:

    "token_type": "Bearer",
    "expires_in": 86400,
    "access_token": "eyJ0eXAiOiJ........"

This is the correct response according to the mezzio docs and the phpleague oAuth2 Server docs which the mezzio library uses.

But, according to the oAuth 2 specification:

If the issued access token scope is different from the one requested by the client, the authorization
   server MUST include the "scope" response parameter to inform the
   client of the actual scope granted.

Including the scope in the response is proving awkward as it isn’t part of the interface, and I am reluctant to make any changes here.

What approach would people recommend to deal with this?

1 Like

I have raised this as an issue on thephpleague / oauth2-server: