Validate CIMD scope, grant_types and response_types against AS policy (#5385)

* Validate CIMD scope, grant_types and response_types against AS policy

C3 - Thread ScopesSupported into NewCIMDStorageDecorator so CIMD scope
     handling is consistent with DCR. Uses registration.ValidateScopes
     (same function as the DCR handler) to validate declared scopes
     against the AS allowlist and compute the effective scope list.
     When ScopesSupported is unset, the document's declared scopes are
     used directly; omitted scopes default to DefaultScopes.

C4 - Reject CIMD documents that declare grant_types or response_types
     the embedded AS does not support for public clients
     (authorization_code + refresh_token; code). Consistent with DCR
     which returns invalid_client_metadata for the same cases.

buildFositeClient now receives pre-computed scopes from fetch() rather
than re-parsing doc.Scope, matching the DCR handler pattern where scope
computation and validation happen before client construction.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Address tgrunnagle review feedback on CIMD validation

F1  Move TestUnionScopes to registration package where UnionScopes lives;
    delete now-empty handlers/scopes.go and handlers/scopes_test.go
F2  Add assert.ErrorIs(ErrInvalidClient)/NotErrorIs(ErrNotFound) to
    all CIMD policy rejection tests to pin the error type change
F4  Replace 6 positional NewCIMDStorageDecorator args with
    CIMDDecoratorConfig struct — prevents silent swap of adjacent []string
F5  Omitted-scope now calls ValidateScopes(nil, scopesSupported) matching
    DCR: returns DefaultScopes when DefaultScopes ⊆ ScopesSupported,
    error otherwise (document must declare scope explicitly)
F6  Fix dcrErr.Error → dcrErr.ErrorDescription in scope validation hint
    so the human-readable description reaches the fosite hint field
F7  slices.Clone scope slices in CIMDDecoratorConfig constructor
F8  Fix buildFositeClient doc: "when empty" not "when nil"
F9  Export ValidatePublicGrantTypes/ValidatePublicResponseTypes from
    registration package; replace hand-rolled loops in cimd_decorator.go
    with calls to these shared validators — grant_type/response_type
    validation is now identical on both DCR and CIMD paths
F10 Rename AcceptsSupportedGrantTypes→AcceptsOmittedGrantTypes and
    RejectsRefreshTokenOnly→RejectsGrantTypesMissingAuthorizationCode
F11 Remove redundant TestBuildFositeClient_ScopeDefaultsToScopesSupported
    (real decision lives in fetch(), not buildFositeClient)
F12 Update slog.Warn message to name the security consequence when
    CIMD+BaselineClientScopes are both configured

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: amirejaz

pkg/authserver/server/handlers/authorize.go

@@ -66,7 +66,9 @@ func (h *Handler) AuthorizeHandler(w http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	slog.Debug("parsed client-requested scopes", //nolint:gosec // G706: scope count is an integer
+	slog.Debug("authorize request received",
+		"client_id", clientID,
+		"redirect_uri", redirectURI,
 		"scope_count", len(scopes),
 	)
 

pkg/authserver/server/handlers/dcr.go

@@ -77,7 +77,7 @@ func (h *Handler) RegisterClientHandler(w http.ResponseWriter, req *http.Request
 	// offline_access) — every DCR-registered client gains the ability to request
 	// these scopes at /oauth/authorize regardless of what they registered with.
 	if len(h.config.BaselineClientScopes) > 0 {
-		effective := unionScopes(scopes, h.config.BaselineClientScopes)
+		effective := registration.UnionScopes(scopes, h.config.BaselineClientScopes)
 		if !slices.Equal(effective, scopes) {
 			// Baseline-driven expansion is the intended behavior whenever
 			// baseline_client_scopes is configured, so per-registration

pkg/authserver/server/handlers/scopes.go

@@ -327,3 +327,47 @@ func ValidateScopes(requestedScopes, allowedScopes []string) ([]string, *DCRErro
 
 	return scopes, nil
 }
+
+// UnionScopes returns the union of requested and baseline scopes, preserving
+// the order of requested first, then appending any baseline scopes not already
+// present. Duplicates are removed. Returns nil when the result is empty.
+//
+// Both inputs must already be validated by the caller. UnionScopes does not
+// filter empty strings or validate scope syntax — it only deduplicates and
+// merges in stable order.
+func UnionScopes(requested, baseline []string) []string {
+	seen := make(map[string]bool, len(requested)+len(baseline))
+	out := make([]string, 0, len(requested)+len(baseline))
+	for _, s := range requested {
+		if !seen[s] {
+			seen[s] = true
+			out = append(out, s)
+		}
+	}
+	for _, s := range baseline {
+		if !seen[s] {
+			seen[s] = true
+			out = append(out, s)
+		}
+	}
+	if len(out) == 0 {
+		return nil
+	}
+	return out
+}
+
+// ValidatePublicGrantTypes validates the grant_types for a public OAuth client,
+// applying the same rules as DCR: authorization_code must be present, and all
+// declared values must be in the allowed set. Returns the validated slice (with
+// defaults applied when nil/empty) or a *DCRError on violation.
+func ValidatePublicGrantTypes(grantTypes []string) ([]string, *DCRError) {
+	return validateGrantTypes(grantTypes)
+}
+
+// ValidatePublicResponseTypes validates the response_types for a public OAuth
+// client, applying the same rules as DCR: code must be present and all declared
+// values must be in the allowed set. Returns the validated slice (with defaults
+// applied when nil/empty) or a *DCRError on violation.
+func ValidatePublicResponseTypes(responseTypes []string) ([]string, *DCRError) {
+	return validateResponseTypes(responseTypes)
+}

pkg/authserver/server/handlers/scopes_test.go

@@ -694,3 +694,31 @@ func TestValidateScopeSubset(t *testing.T) {
 		})
 	}
 }
+
+func TestUnionScopes(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name     string
+		req      []string
+		baseline []string
+		want     []string
+	}{
+		{name: "both nil returns nil", req: nil, baseline: nil, want: nil},
+		{name: "both empty returns nil", req: []string{}, baseline: []string{}, want: nil},
+		{name: "requested only preserved unchanged", req: []string{"openid", "profile"}, baseline: nil, want: []string{"openid", "profile"}},
+		{name: "baseline only returned when no requested", req: nil, baseline: []string{"openid", "email"}, want: []string{"openid", "email"}},
+		{name: "requested subset of baseline expands correctly", req: []string{"openid"}, baseline: []string{"openid", "profile", "email"}, want: []string{"openid", "profile", "email"}},
+		{name: "disjoint sets: requested first then baseline", req: []string{"openid", "profile"}, baseline: []string{"email", "offline_access"}, want: []string{"openid", "profile", "email", "offline_access"}},
+		{name: "exact match produces no duplicates", req: []string{"openid", "profile"}, baseline: []string{"openid", "profile"}, want: []string{"openid", "profile"}},
+		{name: "duplicates in requested are deduplicated", req: []string{"openid", "openid", "profile"}, baseline: nil, want: []string{"openid", "profile"}},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got := UnionScopes(tt.req, tt.baseline)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}

pkg/authserver/server/registration/dcr.go

@@ -177,7 +177,19 @@ func newServer(ctx context.Context, cfg Config, stor storage.Storage, opts ...se
 	// so that GetClient calls for HTTPS client_id values are intercepted at the
 	// fosite level (not just the handler level).
 	if cfg.CIMDEnabled {
-		stor, err = storage.NewCIMDStorageDecorator(stor, true, cfg.CIMDCacheMaxSize, cfg.CIMDCacheFallbackTTL)
+		if len(cfg.BaselineClientScopes) > 0 {
+			slog.Warn("CIMD is enabled with baseline_client_scopes configured; "+
+				"any third-party client resolved via CIMD will also receive these scopes — "+
+				"ensure they are scopes you would grant by default to any unknown client",
+				"baseline_client_scopes", cfg.BaselineClientScopes)
+		}
+		stor, err = storage.NewCIMDStorageDecorator(stor, storage.CIMDDecoratorConfig{
+			Enabled:              true,
+			CacheMaxSize:         cfg.CIMDCacheMaxSize,
+			FallbackTTL:          cfg.CIMDCacheFallbackTTL,
+			ScopesSupported:      cfg.ScopesSupported,
+			BaselineClientScopes: cfg.BaselineClientScopes,
+		})
 		if err != nil {
 			return nil, fmt.Errorf("failed to initialize CIMD storage decorator: %w", err)
 		}