Update changelog for #2622

2021-10-26 16:47:49 +02:00 · 2021-10-26 16:47:49 +02:00 · e0adae7436
commit e0adae7436
parent b21500122d
1 changed files with 13 additions and 0 deletions
--- a/doc/sources/admin/upgrade_2_0_x.rst
+++ b/doc/sources/admin/upgrade_2_0_x.rst
@ -29,6 +29,19 @@ None
 2.0.14
 ------

+Empty scopes now rejected in OAuth2.0 grants
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Previously, it was possible to be granted an empty scope, or an automatic
+``openid`` scope when doing :ref:`OAuth2.0 Password Grant
+<resource-owner-password-grant>` or :ref:`Client Credentials Grant
+<client-credentials-grant>`.
+
+Starting with *2.0.14*, empty scopes are no longer allowed (:rfc:`6749#section-3.3`).
+You need to either add a `scope` parameter to your request, or define a default
+scope in your Relying Party's :ref:`Scope Rules <oidcscoperules>`.
+
+
 Portal templates changes
 ~~~~~~~~~~~~~~~~~~~~~~~~