Description
Problem
The current behavior:
If the app is 3rd party and no scopes are provided, then the consent screen is skipped. However, this is not always what we want and it is also not abiding by the OAuth2 spec.
The Oauth2 spec specifies https://datatracker.ietf.org/doc/html/rfc6749#section-3.3:
If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).
As such, FusionAuth should provide a way to set the default behavior here.
Solution
The must either be a way to forbid clients/applications to start the process without a scope, or there must be a way to define what the default scopes are in the case that no scopes are provided.
Alternatives/workarounds
At the moment, there are none.
Additional context
Add any other context or screenshots about the feature request here.
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.