Empty scope in Token Exchange response #60
Description
Hello,
We are facing a situation in our implementation of Token Exchange where the client's requested scope is filtered out to an empty list as a result of applying specific policy restrictions.
I.e the CLIENT_A asks to exchange an access token with another access token by setting a specific set of scopes in the Token Exchange request. However the configured token exchange policy restricts the specific client from asking all the requested scopes.
According to RFC8693 for a successful Token Exchange response:
scope
OPTIONAL if the scope of the issued security token is identical to
the scope requested by the client; otherwise, it is REQUIRED."
since the requested scope is altered then the scope field must be appended to the response.
In addition according to RFC6749 regarding the Access Token Scope:
The authorization server MAY fully or partially ignore the scope
requested by the client, based on the authorization server policy or
the resource owner's instructions. If the issued access token scope
is different from the one requested by the client, the authorization
server MUST include the "scope" response parameter to inform the
client of the actual scope granted."
Based on the references above I think it is rational to permit empty string as a legitimate scope in the Exchange Token and (?) Access Token responses. Any comments?