fix: update session grants in the auth code token endpoint handler

Callers may wish to see the granted scope and audience of a auth code
flow updated by the token endpoint handler, before responding to the
token request. Move calls to set the granted scope and audience from
`AuthorizeExplicitGrantHandler.PopulateTokenEndpointResponse` to the
`AuthorizeExplicitGrantHandler.HandleTokenEndpointRequest` method.

Fix [ory/hydra#3969](ory/hydra#3969).

Author: tilgovi

handler/oauth2/flow_authorize_code_token.go

@@ -64,9 +64,15 @@ func (c *AuthorizeExplicitGrantHandler) HandleTokenEndpointRequest(ctx context.C
 
 	// Override scopes
 	request.SetRequestedScopes(authorizeRequest.GetRequestedScopes())
+	for _, scope := range authorizeRequest.GetGrantedScopes() {
+		request.GrantScope(scope)
+	}
 
 	// Override audiences
 	request.SetRequestedAudience(authorizeRequest.GetRequestedAudience())
+	for _, audience := range authorizeRequest.GetGrantedAudience() {
+		request.GrantAudience(audience)
+	}
 
 	// The authorization server MUST ensure that the authorization code was issued to the authenticated
 	// confidential client, or if the client is public, ensure that the
@@ -131,14 +137,6 @@ func (c *AuthorizeExplicitGrantHandler) PopulateTokenEndpointResponse(ctx contex
 		return errorsx.WithStack(fosite.ErrInvalidRequest.WithWrap(err).WithDebug(err.Error()))
 	}
 
-	for _, scope := range authorizeRequest.GetGrantedScopes() {
-		requester.GrantScope(scope)
-	}
-
-	for _, audience := range authorizeRequest.GetGrantedAudience() {
-		requester.GrantAudience(audience)
-	}
-
 	access, accessSignature, err := c.AccessTokenStrategy.GenerateAccessToken(ctx, requester)
 	if err != nil {
 		return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))