feat: always return scope with token implicit response

As it was not reliable to compare the scope parameter with scope
granted, due to AS policy changing scope being implemented by changing
the scope parameter, the server will now always return scope with
the implicit and hybrid authorization response types including `token`.

lib/actions/authorization/process_response_types.js

@@ -32,11 +32,9 @@ async function tokenHandler(ctx) {
     access_token: await token.save(),
     expires_in: token.expiration,
     token_type: 'Bearer',
+    scope: token.scope,
   };
 
-  if (token.scope !== ctx.oidc.params.scope) {
-    result.scope = token.scope;
-  }
 
   return result;
 }

test/claims/claims.test.js

@@ -136,7 +136,7 @@ expire.setDate(expire.getDate() + 1);
         this.wrap({ route, verb, auth })
           .expect(302)
           .expect(auth.validateFragment)
-          .expect(auth.validatePresence(['access_token'], false))
+          .expect(auth.validatePresence(['access_token', 'scope'], false))
           .end((err, response) => {
             if (err) {
               return done(err);
@@ -188,7 +188,7 @@ expire.setDate(expire.getDate() + 1);
         this.wrap({ route, verb, auth })
           .expect(302)
           .expect(auth.validateFragment)
-          .expect(auth.validatePresence(['id_token', 'access_token'], false))
+          .expect(auth.validatePresence(['id_token', 'access_token', 'scope'], false))
           .expect((response) => {
             const { query: { id_token } } = parseLocation(response.headers.location, true);
             const { payload } = decodeJWT(id_token);

test/core/hybrid/code+id_token+token.authorization.test.js

@@ -23,7 +23,7 @@ describe('HYBRID code+id_token+token', () => {
         await this.wrap({ route, verb, auth })
           .expect(302)
           .expect(auth.validateFragment)
-          .expect(auth.validatePresence(['code', 'id_token', 'state', 'access_token', 'expires_in', 'token_type']))
+          .expect(auth.validatePresence(['code', 'id_token', 'state', 'access_token', 'expires_in', 'token_type', 'scope']))
           .expect(auth.validateState)
           .expect(auth.validateClientLocation);
 
@@ -39,7 +39,7 @@ describe('HYBRID code+id_token+token', () => {
         await this.wrap({ route, verb, auth })
           .expect(302)
           .expect(auth.validateFragment)
-          .expect(auth.validatePresence(['code', 'id_token', 'state', 'access_token', 'expires_in', 'token_type']))
+          .expect(auth.validatePresence(['code', 'id_token', 'state', 'access_token', 'expires_in', 'token_type', 'scope']))
           .expect(auth.validateState)
           .expect(auth.validateClientLocation);
 

test/core/hybrid/code+token.authorization.test.js

@@ -23,7 +23,7 @@ describe('HYBRID code+token', () => {
         return this.wrap({ route, verb, auth })
           .expect(302)
           .expect(auth.validateFragment)
-          .expect(auth.validatePresence(['code', 'state', 'access_token', 'expires_in', 'token_type']))
+          .expect(auth.validatePresence(['code', 'state', 'access_token', 'expires_in', 'token_type', 'scope']))
           .expect(auth.validateState)
           .expect(auth.validateClientLocation);
       });
@@ -37,7 +37,7 @@ describe('HYBRID code+token', () => {
         return this.wrap({ route, verb, auth })
           .expect(302)
           .expect(auth.validateFragment)
-          .expect(auth.validatePresence(['code', 'state', 'access_token', 'expires_in', 'token_type']))
+          .expect(auth.validatePresence(['code', 'state', 'access_token', 'expires_in', 'token_type', 'scope']))
           .expect(auth.validateState)
           .expect(auth.validateClientLocation);
       });

test/core/implicit/id_token+token.authorization.test.js

@@ -25,7 +25,7 @@ describe('IMPLICIT id_token+token', () => {
         await this.wrap({ route, verb, auth })
           .expect(302)
           .expect(auth.validateFragment)
-          .expect(auth.validatePresence(['id_token', 'state', 'access_token', 'expires_in', 'token_type']))
+          .expect(auth.validatePresence(['id_token', 'state', 'access_token', 'expires_in', 'token_type', 'scope']))
           .expect(auth.validateState)
           .expect(auth.validateClientLocation);
 
@@ -41,7 +41,7 @@ describe('IMPLICIT id_token+token', () => {
         await this.wrap({ route, verb, auth })
           .expect(302)
           .expect(auth.validateFragment)
-          .expect(auth.validatePresence(['id_token', 'state', 'access_token', 'expires_in', 'token_type']))
+          .expect(auth.validatePresence(['id_token', 'state', 'access_token', 'expires_in', 'token_type', 'scope']))
           .expect(auth.validateState)
           .expect(auth.validateClientLocation);
 
@@ -70,7 +70,7 @@ describe('IMPLICIT id_token+token', () => {
         return this.wrap({ route, verb, auth })
           .expect(302)
           .expect(auth.validateFragment)
-          .expect(auth.validatePresence(['id_token', 'state', 'access_token', 'expires_in', 'token_type']))
+          .expect(auth.validatePresence(['id_token', 'state', 'access_token', 'expires_in', 'token_type', 'scope']))
           .expect(auth.validateState)
           .expect(auth.validateClientLocation)
           .then((response) => {

test/dynamic_scopes/dynamic_scopes.test.js

@@ -88,7 +88,7 @@ describe('dynamic scopes', () => {
       await this.wrap({ route: '/auth', verb: 'get', auth })
         .expect(302)
         .expect(auth.validateFragment)
-        .expect(auth.validatePresence(['code', 'state', 'access_token', 'expires_in', 'token_type']))
+        .expect(auth.validatePresence(['code', 'state', 'access_token', 'expires_in', 'token_type', 'scope']))
         .expect(auth.validateState)
         .expect(auth.validateClientLocation)
         .expect(({ headers: { location } }) => {

test/resource_indicators/resource_indicators.test.js

@@ -359,7 +359,7 @@ describe('features.resourceIndicators', () => {
         await this.wrap({ route: '/auth', verb: 'get', auth })
           .expect(302)
           .expect(auth.validateFragment)
-          .expect(auth.validatePresence(['id_token', 'state', 'access_token', 'expires_in', 'token_type']))
+          .expect(auth.validatePresence(['id_token', 'state', 'access_token', 'expires_in', 'token_type', 'scope']))
           .expect(auth.validateState)
           .expect(auth.validateClientLocation);
 
@@ -380,7 +380,7 @@ describe('features.resourceIndicators', () => {
         await this.wrap({ route: '/auth', verb: 'get', auth })
           .expect(302)
           .expect(auth.validateFragment)
-          .expect(auth.validatePresence(['id_token', 'state', 'access_token', 'expires_in', 'token_type']))
+          .expect(auth.validatePresence(['id_token', 'state', 'access_token', 'expires_in', 'token_type', 'scope']))
           .expect(auth.validateState)
           .expect(auth.validateClientLocation);
 
@@ -401,7 +401,7 @@ describe('features.resourceIndicators', () => {
         await this.wrap({ route: '/auth', verb: 'get', auth })
           .expect(302)
           .expect(auth.validateFragment)
-          .expect(auth.validatePresence(['id_token', 'state', 'access_token', 'expires_in', 'token_type']))
+          .expect(auth.validatePresence(['id_token', 'state', 'access_token', 'expires_in', 'token_type', 'scope']))
           .expect(auth.validateState)
           .expect(auth.validateClientLocation);
 

test/session_bound_tokens/session_bound_tokens.test.js

@@ -221,7 +221,7 @@ describe('session bound tokens behaviours', () => {
         .query(auth)
         .expect(302)
         .expect(auth.validateFragment)
-        .expect(auth.validatePresence(['id_token', 'state', 'access_token', 'expires_in', 'token_type']))
+        .expect(auth.validatePresence(['id_token', 'state', 'access_token', 'expires_in', 'token_type', 'scope']))
         .expect(auth.validateState)
         .expect(auth.validateClientLocation)
         .expect(assignAuthorizationResponseValues.bind(this));

test/web_message/web_message.test.js

@@ -57,7 +57,7 @@ describe('configuration features.webMessageResponseMode', () => {
         expect(response).to.have.property('redirect_uri', auth.redirect_uri);
         expect(response).to.have.property('web_message_uri', null);
         expect(response).to.have.property('web_message_target', null);
-        expect(response.response).to.have.keys('id_token', 'state', 'access_token', 'expires_in', 'token_type');
+        expect(response.response).to.have.keys('id_token', 'state', 'access_token', 'scope', 'expires_in', 'token_type');
         expect(response.response.id_token).to.be.a('string');
         expect(response.response.expires_in).to.be.a('number');
         expect(response.response.access_token).to.be.a('string');
@@ -90,7 +90,7 @@ describe('configuration features.webMessageResponseMode', () => {
         expect(response).to.have.property('redirect_uri', auth.redirect_uri);
         expect(response).to.have.property('web_message_uri', 'https://auth.example.com');
         expect(response).to.have.property('web_message_target', 'targetID');
-        expect(response.response).to.have.keys('id_token', 'state', 'access_token', 'expires_in', 'token_type');
+        expect(response.response).to.have.keys('id_token', 'state', 'access_token', 'scope', 'expires_in', 'token_type');
         expect(response.response.id_token).to.be.a('string');
         expect(response.response.expires_in).to.be.a('number');
         expect(response.response.access_token).to.be.a('string');