Requesting multiple scopes in Spring Security Oauth2 version 2.0.7.RELEASE

Question

We have an application which is using spring-security-oauth2:1.0. I was trying to change it to a newer version, spring-security-oauth2:2.0.7.RELEASE. If I don't specify the scope or If I specify I single scope, the application works fine. I have a problem while requesting multiple scopes like read,write, which used to work in previous version.

The client I am requesting has all read,write and trust permissions.

When I was using spring-security-oauth2:1.0, to get a token I used to do a get call like

http://localhost:8080/oauth/token?grant_type=password&client_id=ws&client_secret=secret&scope=read,write&username=user@abc.com&password=temp123

If you see the scope parameter scope=read,write, by requesting this way I used to get a token with scope read and write.

If I try to do the same thing with Oauth2 version 2.0.7.RELEASE(with a POST request though), I get Invalid Scope exception because the tokenRequestis taking read,write as a single scope. The client I am requesting has read,write and trust permissions but read,write is not one of them.

If I try it with scope=write or scope=read, It works fine because read or write are part of the client's scope.

If I want to request for multiple scopes in OAuth2 2.0.7.RELEASE, how do I do that?

Answer 1

I found the correct way to do this. Instead of a comma separated scopes, you have to use + to separate scopes.

Ex: read+write , write+trust

So the following POST request worked fine.

http://localhost:8080/oauth/token?grant_type=password&client_id=ws&client_secret=secret&scope=read+write&username=user@abc.com&password=temp123

I hope it will help others :)