Reported this package to Snyk for having a critical bug (privilege escalation)

[Uzlopak]

My Report:

If oauth2-server is implemented in a way to use JWT for OAuth2accessTokes, which contain the scope in the JWT-body, and is used by the resource servers in a stateless manner and the scope is used by the resource server to check if a specific action is permissible, this critical issue could occur.

Another factor for leveraging this exploit validateScope has to be implemented in a specific way: In the documentation for implementing validateScope there are two variants. If the implementer uses variant "accept partially valid scopes", then the server will filter invalid scopes but not stopping the OAuth2-Flow if the user requests scope, which he has not access to.
https://oauth2-server.readthedocs.io/en/latest/model/spec.html#model-validatescope

In generateAccessToken of the oauth2-server-model function gets the scope passed. As an implementer you expect that the scope is validated and stripped from invalid or not allowed scopes when using the "accept partially valid scopes:"-implementation. So you would generate your JWT with the provided scope.

generateAccessToken is called from saveToken but gets the unsanitized scope, as mentioned above, as the validateScope is running in parallel.

node-oauth2-server/lib/grant-types/authorization-code-grant-type.js

Line 177 in 6d4c987

AuthorizationCodeGrantType.prototype.saveToken = function(user, client, authorizationCode, scope) {

So any JWT will contain invalid or not allowed scopes. E.g. containing "admin"-scope, thus allowing a privilege escalation and accessing the resources with admin permissions.

Just in the case that the user is refreshing the token with the refresh_token-OAuth2-Flow, he will get an access token with the right scope as the scope will be taken from database.