Skip to content

Disallow usage of the openid scope in device authorization requests #2177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Disallow usage of the openid scope in device authorization requests #2177

wants to merge 3 commits into from
+24 −2

Conversation

@fine-pine
Copy link

@fine-pine fine-pine commented Aug 26, 2025

  • Disallow usage of the openid scope in device authorization requests
  • Allow ID token refresh when an ID token already exists

Closes gh-2037

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Aug 26, 2025
@fine-pine fine-pine force-pushed the gh-2037 branch 2 times, most recently from f3eec52 to 7430616 Compare August 26, 2025 09:11
@fine-pine fine-pine marked this pull request as ready for review August 26, 2025 09:43
@injae-kim injae-kim mentioned this pull request Aug 26, 2025
Closed
@jgrandja jgrandja added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 19, 2025
@jgrandja jgrandja self-assigned this Sep 19, 2025
jgrandja
jgrandja requested changes Sep 19, 2025
View reviewed changes
Copy link
Collaborator

@jgrandja jgrandja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix @fine-pine. Please see review comments.

Also, there are a couple of failing tests so please run the build and ensure it passes before submitting your changes.

Lastly, please rebase the fix on 1.4.x. Thanks.

fine-pine and others added 3 commits September 20, 2025 15:47
@fine-pine
Prevent ID token refresh in device code flow
9ddb20a 
- Disallow usage of the `openid` scope in device authorization requests
- Allow ID token refresh when an ID token already exists

Closes spring-projectsgh-2037

Signed-off-by: fine-pine <[email protected]>
@fine-pine @injae-kim
Resolve lint review
4ea9a73 
Co-authored-by: injae kim <[email protected]>
Signed-off-by: Lee Song Mok <[email protected]>
@fine-pine
Resolve reviews
7d06aaa 
Signed-off-by: fine-pine <[email protected]>
@fine-pine fine-pine changed the base branch from main to 1.4.x September 20, 2025 06:50
@fine-pine fine-pine requested a review from jgrandja September 20, 2025 06:57
@jgrandja jgrandja changed the title Prevent ID token refresh in device code flow Disallow usage of the openid scope in device authorization requests Oct 17, 2025
@jgrandja jgrandja added this to the 1.4.6 milestone Oct 17, 2025
@jgrandja jgrandja mentioned this pull request Oct 17, 2025
Closed
jgrandja pushed a commit that referenced this pull request Oct 17, 2025
@fine-pine @jgrandja
Disallow usage of the openid scope in device authorization requests
5352e34 
Closes gh-2177

Signed-off-by: fine-pine <[email protected]>
jgrandja added a commit that referenced this pull request Oct 17, 2025
@jgrandja
Polish gh-2177
4a3a1ba
@jgrandja
Copy link
Collaborator

jgrandja commented Oct 17, 2025

Thanks for the updates @fine-pine. This is now merged.

@jgrandja jgrandja closed this Oct 17, 2025
jgrandja added a commit to spring-projects/spring-security that referenced this pull request Oct 17, 2025
@jgrandja
Disallow usage of the openid scope in device authorization requests
4b810a8 
Issue spring-projects/spring-authorization-server#2177
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jgrandja jgrandja Awaiting requested review from jgrandja

1 more reviewer

@injae-kim injae-kim injae-kim left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@jgrandja jgrandja

Labels

type: bug A general bug

Projects

None yet

Milestone

1.4.6

Development

Successfully merging this pull request may close these issues.

500 Error on Refresh Token Request in Device Code Flow When Using openid Scope

4 participants

@fine-pine @jgrandja @injae-kim @spring-projects-issues