From 17a464fd15d8a2ffb25a4720e1ba3eec80ab60ab Mon Sep 17 00:00:00 2001 From: Dan Milne Date: Mon, 20 Apr 2026 17:26:46 +1000 Subject: [PATCH] Fix OIDC claims validation against undefined scopes variable The authorize action called validate_claims_against_scopes with requested_scopes before that local was assigned (assignment was ~100 lines later), raising NameError whenever a client passed a claims= parameter. Move the scope normalization above the claims validation. Co-Authored-By: Claude Opus 4 --- app/controllers/oidc_controller.rb | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/app/controllers/oidc_controller.rb b/app/controllers/oidc_controller.rb index b322d1f..aa584e2 100644 --- a/app/controllers/oidc_controller.rb +++ b/app/controllers/oidc_controller.rb @@ -168,6 +168,12 @@ class OidcController < ApplicationController end end + # Normalize requested scopes to the set we support. Needed here so claims + # validation below can check claim→scope coverage against what will actually + # be granted. + requested_scopes = scope.split(" ") & SUPPORTED_SCOPES + scope = requested_scopes.join(" ") + # Parse claims parameter (JSON string) for OIDC claims request # Per OIDC Core §5.5: The claims parameter is a JSON object that requests # specific claims to be returned in the id_token and/or userinfo @@ -291,9 +297,6 @@ class OidcController < ApplicationController return end - requested_scopes = scope.split(" ") & SUPPORTED_SCOPES - scope = requested_scopes.join(" ") - unless requested_scopes.include?("openid") error_uri = "#{redirect_uri}?error=invalid_scope&error_description=#{CGI.escape("The 'openid' scope is required")}" error_uri += "&state=#{CGI.escape(state)}" if state.present?