Authorization Server consent fails on client with no registered scopes

[Kehrlann]

Describe the bug

If a registered client supporting the authorization_code has no scopes, and requires authorization consent.
When a client makes an authorization request decision, they see a consent screen with no scopes displayed (see screenshot).
If the user clicks "submit consent", an oauth2 error redirect happens, because it is expected that there is at least one scope consented to (source)

Expected behavior

I see three options:

• Disallow the "require consent + 0 scope" combination for clients
• Allow the combination but skip the consent screen
• Allow the combination, present the screen and allow the user to click "submit consent"

Screenshot

[ryujungkyun]

I'd like to work on this issue.

[Kehrlann]

For info, my current workaround, to skip the screen if there are no registered scopes:

/**
 * Customizer for {@link OAuth2AuthorizationCodeRequestAuthenticationProvider}, that
 * removes the need for consent when a client was registered with 0 scopes. Otherwise, the
 * user cannot get past the consent screen with no scopes present. It is lifted from
 * {@link OAuth2AuthorizationCodeRequestAuthenticationProvider}'s
 * {@code isAuthorizationConsentRequired}, with a special case for "no scopes registered".
 *
 * @see <a href=
 * "https://github.com/spring-projects/spring-security/issues/18565">spring-security/issues/18565</a>
 * @author Daniel Garnier-Moiroux
 */
class McpNoScopeClientConsentNotRequired implements Predicate<OAuth2AuthorizationCodeRequestAuthenticationContext> {

	@Override
	public boolean test(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
		if (!authenticationContext.getRegisteredClient().getClientSettings().isRequireAuthorizationConsent()) {
			return false;
		}
		if (authenticationContext.getAuthorizationRequest().getScopes().isEmpty()) {
			return false;
		}
		// 'openid' scope does not require consent
		if (authenticationContext.getAuthorizationRequest().getScopes().contains(OidcScopes.OPENID)
				&& authenticationContext.getAuthorizationRequest().getScopes().size() == 1) {
			return false;
		}

		if (authenticationContext.getAuthorizationConsent() != null && authenticationContext.getAuthorizationConsent()
			.getScopes()
			.containsAll(authenticationContext.getAuthorizationRequest().getScopes())) {
			return false;
		}

		return true;
	}

	public static ObjectPostProcessor<OAuth2AuthorizationCodeRequestAuthenticationProvider> postProcessor() {
		return new ObjectPostProcessor<>() {
			@Override
			public <O extends OAuth2AuthorizationCodeRequestAuthenticationProvider> O postProcess(
					O authenticationProvider) {
				authenticationProvider.setAuthorizationConsentRequired(new McpNoScopeClientConsentNotRequired());
				return authenticationProvider;
			}
		};
	}

}

Then configure your auth server:

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) {
	return http.oauth2AuthorizationServer(authServer -> {
			authServer.addObjectPostProcessor(McpNoScopeClientConsentNotRequired.postProcessor());
			// ... more authserver customizations
		})
		// ... more security config
		.build();
}