fix

Author: wxiaoguang

routers/api/v1/api.go

@@ -321,7 +321,7 @@ func tokenRequiresScopes(requiredScopeCategories ...auth_model.AccessTokenScopeC
 		}
 
 		if !allow {
-			ctx.Error(http.StatusForbidden, "tokenRequiresScope", fmt.Sprintf("token does not have at least one of required scope(s): %v", requiredScopes))
+			ctx.Error(http.StatusForbidden, "tokenRequiresScope", fmt.Sprintf("token does not have at least one of required scope(s), required=%v, token scope=%v", requiredScopes, scope))
 			return
 		}
 

services/oauth2_provider/access_token.go

@@ -91,7 +91,7 @@ func GrantAdditionalScopes(grantScopes string) auth.AccessTokenScope {
 	// since version 1.22, access tokens grant full access to the API
 	// with this access is reduced only if additional scopes are provided
 	accessTokenScope := auth.AccessTokenScope(strings.Join(tokenScopes, ","))
-	if accessTokenWithAdditionalScopes, err := accessTokenScope.Normalize(); err == nil && len(tokenScopes) > 0 {
+	if accessTokenWithAdditionalScopes, err := accessTokenScope.Normalize(); err == nil && accessTokenWithAdditionalScopes != "" {
 		return accessTokenWithAdditionalScopes
 	}
 	return auth.AccessTokenScopeAll

services/oauth2_provider/additional_scopes_test.go

@@ -14,6 +14,7 @@ func TestGrantAdditionalScopes(t *testing.T) {
 		grantScopes    string
 		expectedScopes string
 	}{
+		{"", "all"},
 		{"openid profile email", "all"},
 		{"openid profile email groups", "all"},
 		{"openid profile email all", "all"},
@@ -27,7 +28,7 @@ func TestGrantAdditionalScopes(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		t.Run(test.grantScopes, func(t *testing.T) {
+		t.Run("scope:"+test.grantScopes, func(t *testing.T) {
 			result := GrantAdditionalScopes(test.grantScopes)
 			assert.Equal(t, test.expectedScopes, string(result))
 		})