Need to increase the scope(`openid`) inspection in openid `CanHandleTokenEndpointRequest`

Question

Need to increase the scope(`openid`) inspection in openid `CanHandleTokenEndpointRequest`

yiuiua opened this issue 2 years ago · 1 comments

Preflight checklist

I could not find a solution in the existing issues, docs, nor discussions.
I agree to follow this project's Code of Conduct.
I have read and am following this repository's Contribution Guidelines.
This issue affects my Ory Cloud project.
I have joined the Ory Community Slack.
I am signed up to the Ory Security Patch Newsletter.

Describe the bug

When OAuth2 and OIDC are used together, OAuth2 requests (Scope! = 'openid), perform the PopulateTokenEndpointResponse (flow_explicit_token.go) function should do nothing, but it is not so.
I think the CanHandleTokenEndpointRequest function should be changed to

func (c *OpenIDConnectExplicitHandler) CanHandleTokenEndpointRequest(requester fosite.AccessRequester) bool {
	return requester.GetGrantTypes().ExactOne("authorization_code") && requester.GetGrantedScopes().Has("openid")
}

Reproducing the bug

The explicit token flow should check that GrantTypes includes authorization_code and Scopes includes openid

Relevant log output

No response

Relevant configuration

No response

Version

v0.42.2

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Binary

Additional Context

No response

Answer 1 · 2022-11-02T21:39:05.000Z

The code you reference is called here: https://github.com/ory/fosite/blob/master/handler/openid/flow_explicit_token.go#L39-L41

There is a check here however for this specific case just below: https://github.com/ory/fosite/blob/master/handler/openid/flow_explicit_token.go#L50-L52

Is there something I'm missing in regards to why this isn't ideal? Maybe because of this? https://github.com/ory/fosite/blob/master/access_request_handler.go#L95-L117