Return scope as a token response param

[chervand]

According to https://tools.ietf.org/html/rfc6749#section-5.1

scope
OPTIONAL, if identical to the scope requested by the client;
otherwise, REQUIRED...

and https://tools.ietf.org/html/rfc6749#section-3.3

The authorization server MAY fully or partially ignore the scope
requested by the client, based on the authorization server policy or
the resource owner's instructions. If the issued access token scope
is different from the one requested by the client, the authorization
server MUST include the "scope" response parameter to inform the
client of the actual scope granted. If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).

Is it possible to return scope value as a request param by default to notify clients about actually granted scopes (in case default or omitted ones) without need of parsing JWT?

[DewaldBodenstein]

@chervand have you found a way to accomplish this?

[chervand]

@DewaldBodenstein, I believe, adding it to a League\OAuth2\Server\ResponseTypes\BearerTokenResponse $responseParams should be enough.

[DewaldBodenstein]

Thanks, got it working.

[simonhamp]

@chervand That's nice. I think in most implementations, if the client requests scopes that aren't supported, the server should respond with an invalid_scope error. However, this is really useful for situations where a scope is valid, but for some other reason has been denied (e.g. authorisation).

And as you rightly mention, it follows spec. In fact, I'd go so far as to say that it's worth having in the response regardless.

Do you fancy making a pull request for this?

[chervand]

@simonhamp yes, sure

[christiaangoossens]

+1, this would be very useful.