LLNG is too strict on OIDC scope syntax
Concerned version
Version: 2.0.7
Summary
# Check scope validity
unless ( $oidc_request->{'scope'} =~ /^[a-zA-Z_\-\s]+$/ ) {
$self->logger->error( "Submitted scope is not valid: "
. $oidc_request->{'scope'} );
return PE_ERROR;
}
This check is too strict. OAuth2 defines the scope syntax as:
scope = scope-token *( SP scope-token )
scope-token = 1*( %x21 / %x23-5B / %x5D-7E )
See https://tools.ietf.org/html/rfc6749#section-3.3
We must find a way to allow scopes with all these characters , and take care about not recreating #1599 (closed)