function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
John BrodieJohn Brodie 

Bug in Salesforce OAuth 2.0 Implementation

I'm developing an app which utilizes OAuth 2.0, and it appears that there is a bug in the implementation.


I'm using Google's "oauth2client" library for python, and kept getting a "scope parameter not supported" error when trying to exchange an authorization code for an access token (using the web server flow).  The library sends the scope parameter during both the initial step of the flow, as well as with the exchange step.  However, it appears that SalesForce throws an error if a scope parameter is included with the exchange request - but it will work if the scope param is included but is the empty string.


Section 3.3 of the OAuth 2.0 RFC states "The authorization and token endpoints allow the client to specify the scope of the access request using the "scope" request parameter." - which leads to the conclusion that this is an implementation bug.  


The current situation leaves me with making changes to a third-party library (not ideal), or not being able to specify a scope (not ideal, as I must then use the default).

Scott T.Scott T.

For some grant types "scope" is a valid parameter for the token endpoint.  But for authorization code, I don't see it mentioned in the spec:


Seems this is a (somewhat) ambiguous part of the spec.  Personally, the authorization code already represents what scope the app requested / user approved - so redefining the scope during code exchange doesn't make sense to me.