Adding implicit scopes broken for clients requiring consent

[rhafer]

I've been trying to implicitly add the LibgreGraph.UUID scope (to always get the lg.uuid claim added to tokens and userinfo) to our client configuration. But it breaks as soon as the client requires consent. (E.g. because trusted is not set to true or when the client sends prompts=consent with the authentication request.

E.g. this (trusted) client config works and successfully includes the lg.uuid claim in the response:

- id: works
  name: ownCloud Web app
  trusted: true
  implicit_scopes:
  - LibgreGraph.UUID
  secret: ""
  redirect_uris:
  - http://127.0.0.1
  - http://localhoyst
  origins: []
  application_type: native

while this one does not (only difference is the missing trusted: true:

- id: broken
  name: ownCloud Web app
  implicit_scopes:
  - LibgreGraph.UUID
  secret: ""
  redirect_uris:
  - http://127.0.0.1
  - http://localhost
  origins: []
  application_type: native

How to reproduce

Start lico using the clients registry from https://gist.github.com/rhafer/8f94d55d39332589ba0cb80fd6c1b2ce#file-identifier-registration-yaml

export LDAP_UUID_ATTRIBUTE=entryUUID
export LDAP_....
bin/licod serve --listen 0.0.0.0:9200 \
    --iss=https://ocis.owncloud.test \
    --signing-private-key private-key.pem \
    --encryption-secret encryption.key ldap  \
    --identifier-client-path identifier/build/ \
    --log-level debug \
    --identifier-registration-conf ~/.ocis/idp/tmp/identifier-registration.yaml

I used a slightly modified version of the go-oidc userinfo sample: https://gist.github.com/rhafer/8f94d55d39332589ba0cb80fd6c1b2ce#file-userinfo-go
which basically just return the userinfo of the authenticated user.

Just copied it into example/userinfo/app.go of a local clone of https://github.com/coreos/go-oidc and run it with:

CLIENT_ID=works go run example/userinfo/app.go

and point your brower to http://127.0.0.1:5556 (ideally a private window) with CLIENT_ID=works the browser should display the userinfo including the lg.uuid claim (provided the used LDAP server returns and entryUUID attribute for the user.

To reproduce the error use CLIENT_ID=broken go run example/userinfo/app.go and open a new private session in the browser.
This time you should be prompted for consent and now the lg.uuid claim is missing from the userinfo. Shouldn't the implict_scopes always be include regardless of the given consent? Or alternatively shouldn't the consent page request consent for that scope if it's part of the implict scopes?

BTW, the problem is also reproducible for trusted clients that require consent. See line 82 on the example app.

[longsleep]

I have not looked at the details yet but reading this makes me think that the "implicit scopes" are implicitly added client scopes (as if the client would have requested them) but does not implicitly give a grant to get those claims.

So maybe "somewhere on the way through consent" the implicit scopes are lost (as the client never added them, this might be simply be an oversight that the implicit scopes are not used when requesting consent).

Needs investigation in the code.