From def05eaa5552a9c95cf8a679b9bcb44dd4ede637 Mon Sep 17 00:00:00 2001 From: Randall Leeds Date: Tue, 8 Apr 2025 18:06:38 -0700 Subject: [PATCH] fix: update session grants in the auth code token endpoint handler Callers may wish to see the granted scope and audience of a auth code flow updated by the token endpoint handler, before responding to the token request. Move calls to set the granted scope and audience from `AuthorizeExplicitGrantHandler.PopulateTokenEndpointResponse` to the `AuthorizeExplicitGrantHandler.HandleTokenEndpointRequest` method. Fix [ory/hydra#3969](https://github.com/ory/hydra/issues/3969). --- handler/oauth2/flow_authorize_code_token.go | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/handler/oauth2/flow_authorize_code_token.go b/handler/oauth2/flow_authorize_code_token.go index 7c1c8a44..75985a0b 100644 --- a/handler/oauth2/flow_authorize_code_token.go +++ b/handler/oauth2/flow_authorize_code_token.go @@ -64,9 +64,15 @@ func (c *AuthorizeExplicitGrantHandler) HandleTokenEndpointRequest(ctx context.C // Override scopes request.SetRequestedScopes(authorizeRequest.GetRequestedScopes()) + for _, scope := range authorizeRequest.GetGrantedScopes() { + request.GrantScope(scope) + } // Override audiences request.SetRequestedAudience(authorizeRequest.GetRequestedAudience()) + for _, audience := range authorizeRequest.GetGrantedAudience() { + request.GrantAudience(audience) + } // The authorization server MUST ensure that the authorization code was issued to the authenticated // confidential client, or if the client is public, ensure that the @@ -131,14 +137,6 @@ func (c *AuthorizeExplicitGrantHandler) PopulateTokenEndpointResponse(ctx contex return errorsx.WithStack(fosite.ErrInvalidRequest.WithWrap(err).WithDebug(err.Error())) } - for _, scope := range authorizeRequest.GetGrantedScopes() { - requester.GrantScope(scope) - } - - for _, audience := range authorizeRequest.GetGrantedAudience() { - requester.GrantAudience(audience) - } - access, accessSignature, err := c.AccessTokenStrategy.GenerateAccessToken(ctx, requester) if err != nil { return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))