Skip to content

Fix gh-18565: Support consent for clients with no registered scopes#18574

Closed
ryujungkyun wants to merge 1 commit intospring-projects:mainfrom
ryujungkyun:gh-18565-fix-consent-issue
Closed

Fix gh-18565: Support consent for clients with no registered scopes#18574
ryujungkyun wants to merge 1 commit intospring-projects:mainfrom
ryujungkyun:gh-18565-fix-consent-issue

Conversation

@ryujungkyun
Copy link
Copy Markdown

@ryujungkyun ryujungkyun commented Jan 25, 2026

Description

This PR addresses gh-18565, where the OAuth2AuthorizationConsentAuthenticationProvider incorrectly handles authorization consent for a RegisteredClient with no registered scopes.

When requireAuthorizationConsent(true) is set for a client with no scopes, the provider currently:

  1. Throws an ACCESS_DENIED error because it assumes an empty authority set implies user denial.
  2. Throws an IllegalArgumentException from OAuth2AuthorizationConsent.Builder because building with an empty authority set is not permitted.

Changes

  • Updated the logic to only throw ACCESS_DENIED if requestedScopes is not empty.
  • Conditionally call OAuth2AuthorizationConsent.Builder.build() only when authorities are present.
  • Added a cleanup step to remove stale consent records when the resulting authority set is empty.

Related Issue

Ref: gh-18565

How to Test

I have added a reproduction test case: authenticateWhenNoScopesAndConsentRequiredThenReturnAuthorizationCode() in OAuth2AuthorizationConsentAuthenticationProviderTests.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 25, 2026
@ryujungkyun
Fix spring-projectsgh-18565: Support consent for clients with no regi…
573fc92 
…stered scopes

Signed-off-by: 류정균 <prank01@naver.com>
@ryujungkyun ryujungkyun force-pushed the gh-18565-fix-consent-issue branch from 78bfea8 to 573fc92 Compare January 25, 2026 07:31
@jgrandja
Copy link
Copy Markdown
Contributor

jgrandja commented Feb 12, 2026
edited
Loading

@ryujungkyun I'm going to close this as I don't believe any changes are necessary. Please see comment.

@jgrandja jgrandja closed this Feb 12, 2026
@jgrandja jgrandja self-assigned this Feb 12, 2026
@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: declined A suggestion or change that we don't feel we should currently apply and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jgrandja jgrandja

Labels

in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: declined A suggestion or change that we don't feel we should currently apply

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ryujungkyun @jgrandja @spring-projects-issues