Fixes #238

oharsta · oharsta · commit ad4d764f891b · 2025-03-07T07:08:09.000+01:00
Backward compatibility for comma-separated Scope See also https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/445
diff --git a/pom.xml b/pom.xml
@@ -21,7 +21,7 @@
 
     <groupId>org.openconext</groupId>
     <artifactId>oidcng</artifactId>
-    <version>8.0.0</version>
+    <version>8.0.1</version>
     <name>oidcng</name>
 
     <dependencyManagement>
diff --git a/src/main/java/oidc/endpoints/AuthorizationEndpoint.java b/src/main/java/oidc/endpoints/AuthorizationEndpoint.java
@@ -416,7 +416,13 @@ private static String unsupportedPromptValue(String prompt) {
 
     public static List<String> validateScopes(OpenIDClientRepository openIDClientRepository, Scope scope, OpenIDClient client) {
         List<String> requestedScopes = scope != null ? scope.toStringList() : Collections.emptyList();
+        if (requestedScopes.stream().anyMatch(s -> s.contains(","))) {
+            //backward compatibility with old scope comma separated scopes
+            requestedScopes = requestedScopes.stream()
+                    .flatMap(s -> Arrays.stream(s.split(",")))
+                    .toList();
 
+        }
         List<String> allowedResourceServers = client.getAllowedResourceServers();
         List<String> grantedScopes = new ArrayList<>();
         if (!CollectionUtils.isEmpty(allowedResourceServers)) {
diff --git a/src/test/java/oidc/endpoints/AuthorizationEndpointUnitTest.java b/src/test/java/oidc/endpoints/AuthorizationEndpointUnitTest.java
@@ -52,6 +52,21 @@ public void validateScope() {
         doValidateScope("open_id", "open_id", "authorization_code");
     }
 
+    @Test
+    public void validateScopesForFree() {
+        doValidateScope("custom", "openid offline_access email profile phone", "authorization_code", "refresh_token");
+    }
+
+    @Test
+    public void validateScopesForFreeWrongFormat() {
+        doValidateScope("custom", "openid,offline_access,email,profile,phone", "authorization_code", "refresh_token");
+    }
+
+    @Test
+    public void validateScopesForFreeWrongFormatSpaces() {
+        doValidateScope("custom", "openid, offline_access, email, profile, phone", "authorization_code", "refresh_token");
+    }
+
     @Test
     public void validateScopeOfflineAccess() {
         doValidateScope("open_id", "open_id offline_access", "authorization_code", "refresh_token");
@@ -170,6 +185,7 @@ private void doValidateScope(String clientScope, String requestResponseScope, St
         OpenIDClientRepository openIDClientRepository = mock(OpenIDClientRepository.class);
         when(openIDClientRepository.findByClientIdIn(null))
                 .thenReturn(Collections.singletonList(client));
+        requestResponseScope = requestResponseScope.replaceAll(",", " ");
         Scope scope = Scope.parse(requestResponseScope);
         List<String> scopes = AuthorizationEndpoint.validateScopes(openIDClientRepository, scope, client);
 
