Scope-parameter is required in some cases with client_credentials grant
Basics
Logistics
Basics
Logistics
Description
When client_credentials grant is used at the token endpoint, the ValidateScope action may throw an NPE if the request doesn’t contain scope attribute:
ERROR [net.shibboleth.idp.plugin.oidc.op.profile:-2] - Uncaught runtime exception
java.lang.NullPointerException: Cannot invoke "com.nimbusds.oauth2.sdk.Scope.iterator()" because "requestedScopes" is null
at net.shibboleth.idp.plugin.oidc.op.oauth2.profile.impl.ValidateScope.doExecute(ValidateScope.java:221)
This happens when the function for allowed scopes returns a non-empty value. That’s the case for instance when the registered metadata contains some scopes.
When client_credentials grant is used at the token endpoint, the
ValidateScopeaction may throw an NPE if the request doesn’t containscopeattribute:ERROR [net.shibboleth.idp.plugin.oidc.op.profile:-2] - Uncaught runtime exception java.lang.NullPointerException: Cannot invoke "com.nimbusds.oauth2.sdk.Scope.iterator()" because "requestedScopes" is null at net.shibboleth.idp.plugin.oidc.op.oauth2.profile.impl.ValidateScope.doExecute(ValidateScope.java:221)This happens when the function for allowed scopes returns a non-empty value. That’s the case for instance when the registered metadata contains some scopes.
This is clearly a bug, as the spec RFC 6749: The OAuth 2.0 Authorization Framework allows scope to be missing, as it’s specified optional in 4.4.2.