diff --git a/oauth3.core.js b/oauth3.core.js index 58f67d1..90b6aed 100644 --- a/oauth3.core.js +++ b/oauth3.core.js @@ -169,7 +169,7 @@ } , scope: { parse: function (scope) { - return (scope||'').split(/[+, ]+/g); + return (scope||'').toString().split(/[+, ]+/g); } , stringify: function (scope) { if (Array.isArray(scope)) { diff --git a/oauth3.issuer.js b/oauth3.issuer.js index 6571c91..7d48506 100644 --- a/oauth3.issuer.js +++ b/oauth3.issuer.js @@ -371,7 +371,7 @@ OAUTH3.authn.resourceOwnerPassword = function (directive, opts) { OAUTH3.authz = {}; OAUTH3.authz.scopes = function (providerUri, session, clientParams) { var clientUri = OAUTH3.uri.normalize(clientParams.client_uri || OAUTH3._browser.window.document.referrer); - var scope = clientParams.scope || [ 'authn@oauth3.org' ]; + var scope = clientParams.scope || 'authn@oauth3.org'; if ('authn@oauth3.org' === scope.toString()) { // implicit ppid grant is automatic console.warn('[security] fix scope checking on backend so that we can do automatic grants');