Remove redundant 'openid' scope special case logic

The special case for adding 'openid' scope was redundant and could potentially bypass client scope restrictions. The main loop already correctly adds 'openid' to validScopes if it's in both requestedScopes and allowedScopes. Since 'openid' is already in the default scopes during client configuration (SyncClientsFromConfig), it will be available for clients that don't explicitly configure scopes. Clients can include or exclude 'openid' in their allowedScopes as needed. This ensures consistent enforcement of client scope restrictions with no special-case bypasses.
2025-12-31 20:42:31 +00:00 · 2025-12-30 13:52:01 +01:00
parent ad12110fbf
commit 5ec9989189
1 changed files with 0 additions and 16 deletions
--- a/internal/service/oidc_service.go
+++ b/internal/service/oidc_service.go
@@ -323,22 +323,6 @@ func (oidc *OIDCService) ValidateScope(client *model.OIDCClient, requestedScopes
 		}
 	}

-	// Only include "openid" if it was requested AND it's in the client's allowed scopes
-	// This respects client scope restrictions and doesn't bypass allowedScopes
-	if contains(requestedScopesList, "openid") && contains(allowedScopes, "openid") {
-		// Check if "openid" is already in validScopes (added by the loop above)
-		hasOpenID := false
-		for _, scope := range validScopes {
-			if scope == "openid" {
-				hasOpenID = true
-				break
-			}
-		}
-		if !hasOpenID {
-			validScopes = append(validScopes, "openid")
-		}
-	}
-
 	return validScopes, nil
 }