diff --git a/oauth3.issuer.js b/oauth3.issuer.js index 3d63c71..6571c91 100644 --- a/oauth3.issuer.js +++ b/oauth3.issuer.js @@ -371,8 +371,8 @@ OAUTH3.authn.resourceOwnerPassword = function (directive, opts) { OAUTH3.authz = {}; OAUTH3.authz.scopes = function (providerUri, session, clientParams) { var clientUri = OAUTH3.uri.normalize(clientParams.client_uri || OAUTH3._browser.window.document.referrer); - var scope = clientParams.scope || 'oauth3_authn'; - if ('oauth3_authn' === scope) { + var scope = clientParams.scope || [ 'authn@oauth3.org' ]; + if ('authn@oauth3.org' === scope.toString()) { // implicit ppid grant is automatic console.warn('[security] fix scope checking on backend so that we can do automatic grants'); // TODO check user preference if implicit ppid grant is allowed