[PR #4940] [MERGED] fix(common): oauth2 password flow not respecting scopes #4995

New issue

Closed

opened 2026-03-17 02:28:55 +03:00 by kerem · 0 comments

kerem commented

2026-03-17 02:28:55 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hoppscotch/hoppscotch/pull/4940
Author: @qhris
Created: 3/26/2025
Status: ✅ Merged
Merged: 3/26/2025
Merged by: @jamesgeorge007

Base: next ← Head: fix/oauth2-password

📝 Commits (1)

e04d23f fix(common): oauth2 password flow scopes

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 packages/hoppscotch-common/src/services/oauth/flows/password.ts (+1 -1)

📄 Description

Fixes an issue where the scope parameter is not sent to the IDP token endpoint when using the password oauth2 flow.

The code today sends the scopes as scopes and not scope, which is not according to the OAuth2 specification. The scopes selected in the UI will not be respected. After this fix, the scopes will be respected as expected.

Testing

Select the Authorization tab of a request.
Select OAuth2 as the authorization type.
Select Password as the grant type.
Enter all endpoints and details for a password client.
Select a subset of scopes in the scope parameter.
Notice how the subset of scopes is not respected.

Changes

Before

Request received in test application (formatted as JSON):

{"grant_type":"password","username":"redacted","password":"redacted","client_id":"test","client_secret":"redacted","scope":null}

After

Request received in test application (formatted as JSON):

{"grant_type":"password","username":"redacted","password":"redacted","client_id":"test","client_secret":"redacted","scope":"myscope"}

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hoppscotch/hoppscotch/pull/4940 **Author:** [@qhris](https://github.com/qhris) **Created:** 3/26/2025 **Status:** ✅ Merged **Merged:** 3/26/2025 **Merged by:** [@jamesgeorge007](https://github.com/jamesgeorge007) **Base:** `next` ← **Head:** `fix/oauth2-password` --- ### 📝 Commits (1) - [`e04d23f`](https://github.com/hoppscotch/hoppscotch/commit/e04d23f08d11dd1c0f1b2d25a1a4c9ed004a21a2) fix(common): oauth2 password flow scopes ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `packages/hoppscotch-common/src/services/oauth/flows/password.ts` (+1 -1) </details> ### 📄 Description Fixes an issue where the `scope` parameter is not sent to the IDP token endpoint when using the `password` oauth2 flow. The code today sends the scopes as `scopes` and not `scope`, which is not according to the OAuth2 specification. The scopes selected in the UI will not be respected. After this fix, the scopes will be respected as expected. ### Testing 1. Select the `Authorization` tab of a request. 2. Select `OAuth2` as the authorization type. 3. Select `Password` as the grant type. 4. Enter all endpoints and details for a password client. 5. Select a subset of scopes in the scope parameter. 6. Notice how the subset of scopes is not respected. ### Changes #### Before Request received in test application (formatted as JSON): ```json {"grant_type":"password","username":"redacted","password":"redacted","client_id":"test","client_secret":"redacted","scope":null} ``` #### After Request received in test application (formatted as JSON): ```json {"grant_type":"password","username":"redacted","password":"redacted","client_id":"test","client_secret":"redacted","scope":"myscope"} ``` --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>