Fail oauth2 grants when resulting scope is empty
Concerned version
Version: 2.0.13
Summary
- Do a Client Credentials or Password grant without specifying a scope and without any scope rules in action
- an access token is granted with an empty scope
Spec says:
If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).
We should return invalid_scope when the scope of a token is null, and let admins define a default scope with a scope rule if they want a default scope to be granted
This is a breaking change, a changelog note is needed