From d6e83ace1ecc589a6f850cf9fb63c69fe15b7069 Mon Sep 17 00:00:00 2001
From: Brock Allen <brockallen@gmail.com>
Date: Wed, 7 Aug 2019 09:27:09 -0400
Subject: [PATCH] Assume requested scopes when response response doesn't
 contain scope #856

---
 src/ResponseValidator.js | 5 +++++
 src/SigninRequest.js     | 2 +-
 src/SigninState.js       | 9 +++++++--
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/ResponseValidator.js b/src/ResponseValidator.js
index 6838e6a3..082e8fcb 100644
--- a/src/ResponseValidator.js
+++ b/src/ResponseValidator.js
@@ -130,6 +130,11 @@ export class ResponseValidator {
             return Promise.reject(new Error("Unexpected code in response"));
         }
 
+        if (!response.scope) {
+            // if there's no scope on the response, then assume all scopes granted (per-spec) and copy over scopes from original request
+            response.scope = state.scope;
+        }
+
         return Promise.resolve(response);
     }
 
diff --git a/src/SigninRequest.js b/src/SigninRequest.js
index afffd62b..1fdd6eb8 100644
--- a/src/SigninRequest.js
+++ b/src/SigninRequest.js
@@ -49,7 +49,7 @@ export class SigninRequest {
             data, client_id, authority, redirect_uri, 
             code_verifier: code, 
             request_type, response_mode,
-            client_secret });
+            client_secret, scope });
 
         url = UrlUtility.addQueryParam(url, "client_id", client_id);
         url = UrlUtility.addQueryParam(url, "redirect_uri", redirect_uri);
diff --git a/src/SigninState.js b/src/SigninState.js
index 88fcf2e6..5903273c 100644
--- a/src/SigninState.js
+++ b/src/SigninState.js
@@ -7,7 +7,7 @@ import { JoseUtil } from './JoseUtil.js';
 import random from './random.js';
 
 export class SigninState extends State {
-    constructor({nonce, authority, client_id, redirect_uri, code_verifier, response_mode, client_secret} = {}) {
+    constructor({nonce, authority, client_id, redirect_uri, code_verifier, response_mode, client_secret, scope} = {}) {
         super(arguments[0]);
 
         if (nonce === true) {
@@ -35,6 +35,7 @@ export class SigninState extends State {
         this._client_id = client_id;
         this._response_mode = response_mode;
         this._client_secret = client_secret;
+        this._scope = scope;
     }
 
     get nonce() {
@@ -61,6 +62,9 @@ export class SigninState extends State {
     get client_secret() {
         return this._client_secret;
     }
+    get scope() {
+        return this._scope;
+    }
     
     toStorageString() {
         Log.debug("SigninState.toStorageString");
@@ -75,7 +79,8 @@ export class SigninState extends State {
             authority: this.authority,
             client_id: this.client_id,
             response_mode: this.response_mode,
-            client_secret: this.client_secret
+            client_secret: this.client_secret,
+            scope: this.scope
         });
     }