if the client doesn't ask for any system scopes, but asks for some non-system scopes, they'll now get the defaults instead of none

Justin Richer · Justin Richer · commit 46e7ed203bb1 · 2013-09-06T15:28:35.000-04:00
addresses mitreid-connect#498
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientDynamicRegistrationEndpoint.java
@@ -116,14 +116,14 @@ public String registerNewClient(@RequestBody String jsonString, Model m) {
 			// scopes that the client is asking for
 			Set<SystemScope> requestedScopes = scopeService.fromStrings(newClient.getScope());
 
-			// if the client didn't ask for any, give them the defaults
-			if (requestedScopes == null || requestedScopes.isEmpty()) {
-				requestedScopes = scopeService.getDefaults();
-			}
-
 			// the scopes that the client can have must be a subset of the dynamically allowed scopes
 			Set<SystemScope> allowedScopes = Sets.intersection(dynScopes, requestedScopes);
 
+			// if the client didn't ask for any, give them the defaults
+			if (allowedScopes == null || allowedScopes.isEmpty()) {
+				allowedScopes = scopeService.getDefaults();
+			}
+			
 			newClient.setScope(scopeService.toStrings(allowedScopes));
 
 
