fix: base accepted scope off the accepted scopes, not param scopes

The end result here is the same for all flows going through the default interaction checks, but the moment you start disabling checks and omit to call acceptedScopesFor, this makes more sense
panva · Jun 2, 2019 · ccec5d3 · ccec5d3
1 parent cc66876
commit ccec5d3
Showing 1 changed file with 3 additions and 4 deletions.
diff --git a/lib/helpers/oidc_context.js b/lib/helpers/oidc_context.js
@@ -128,11 +128,10 @@ module.exports = function getContext(provider) {
     }
 
     acceptedScope() {
-      const scopes = new Set([...this.requestParamScopes]);
-      const rejected = this.session.rejectedScopesFor(this.params.client_id);
-      rejected.forEach(Set.prototype.delete.bind(scopes));
+      // acceptedScopesFor already has the rejected filtered out
+      const accepted = this.session.acceptedScopesFor(this.params.client_id);
 
-      return [...scopes].join(' ') || undefined;
+      return [...this.requestParamScopes].filter(scope => accepted.has(scope)).join(' ') || undefined;
     }
 
     resolvedClaims() {