From 5ec9989189ddfb8274d0a96d719081e3f61df715 Mon Sep 17 00:00:00 2001 From: Olivier Dumont Date: Tue, 30 Dec 2025 13:52:01 +0100 Subject: [PATCH] Remove redundant 'openid' scope special case logic The special case for adding 'openid' scope was redundant and could potentially bypass client scope restrictions. The main loop already correctly adds 'openid' to validScopes if it's in both requestedScopes and allowedScopes. Since 'openid' is already in the default scopes during client configuration (SyncClientsFromConfig), it will be available for clients that don't explicitly configure scopes. Clients can include or exclude 'openid' in their allowedScopes as needed. This ensures consistent enforcement of client scope restrictions with no special-case bypasses. --- internal/service/oidc_service.go | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/internal/service/oidc_service.go b/internal/service/oidc_service.go index 7ee8ccd..87bb305 100644 --- a/internal/service/oidc_service.go +++ b/internal/service/oidc_service.go @@ -323,22 +323,6 @@ func (oidc *OIDCService) ValidateScope(client *model.OIDCClient, requestedScopes } } - // Only include "openid" if it was requested AND it's in the client's allowed scopes - // This respects client scope restrictions and doesn't bypass allowedScopes - if contains(requestedScopesList, "openid") && contains(allowedScopes, "openid") { - // Check if "openid" is already in validScopes (added by the loop above) - hasOpenID := false - for _, scope := range validScopes { - if scope == "openid" { - hasOpenID = true - break - } - } - if !hasOpenID { - validScopes = append(validScopes, "openid") - } - } - return validScopes, nil }