OTK not checking scope in authorize call

book

Article ID: 241895

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We are migrating from GW 9.x  and OTK 4.1 to GW 10.1 and OTK 4.4. We have noticed one significant change of behavior - in the authorization code flow, the authorize call will now not end with 'invalid_scope' error if a scope not defined in the application properties is requested.

Instead, it would proceed and set scope 'oob' for the login page. We have tested with the default OTK installation to make sure this is not caused by some modifications done by us.

Is this expected behavior?

 

Environment

Release : 10.1

Component :

Resolution

If there is no scope defined on the client or application  the code will skip the scope verification which is also the case in previous versions of Oauth .

This is expected behavior