Feature request: Simplified scope request returns empty scopes instead of expected Cartesian product with role-based scopes

[u0x01]

Describe the bug

When using simplified scope configuration in Logto, the scope handling behavior appears inconsistent with RFC 8707/RFC6749 Section 3.3 specifications. While explicit scope requests work as expected, using simplified scope configuration results in empty scopes being returned, rather than the expected intersection of available and requested scopes.

Expected behavior

When using simplified scope configuration (Cartesian product of scopes and resources), the system should:

1. Process the simplified scopes (read, write) against the resource's defined scopes (shopping:read, shopping:write)
2. Return the intersection of available and requested scopes when obtaining resource tokens
3. Follow RFC 8707/RFC6749 Section 3.3 specifications for scope resolution

Example expected result for a user with role-based scopes [shopping:read, shopping:write]:

• When requesting scopes [read, write], should return [shopping:read, shopping:write]

How to reproduce?

1. Configure API resource with scopes shopping:read and shopping:write
2. Create a role with scopes shopping:read and shopping:write
3. Assign the role to a user
4. Configure Logto client with simplified scopes:

export const logtoConfig = {
  scopes: ['read', 'write'],
  resources: ['https://shopping.your-app.com/api'],
};

5. Initiate authentication flow
6. Attempt to obtain resource token through /oidc/token endpoint using either:
   • grant_type: authorization_code
   • grant_type: refresh_token
7. Observe that returned scopes are empty [] instead of the expected [shopping:read, shopping:write]

Context

• Logto Cloud
• Self-hosted, Logto version =
  • Container (Docker image)
  • Raw Node.js

Additional context

For comparison, when using explicit scope configuration, everything works as expected:

export const logtoConfig = {
  scopes: ['shopping:read', 'shopping:write'],
  resources: ['https://shopping.your-app.com/api'],
};

This configuration correctly returns the expected scopes based on user roles.

Test environment details:

• Test Resource has scopes [shopping:read, shopping:write]
• Test Role has scopes [shopping:read, shopping:write]
• User has Test Role
• Requested scopes during Auth phase: [read, write]

Doc Ref
configure-logto-client

[wangsijie]

I'll take a look

[wangsijie]

That is a feature request, the scope in Logto is a simple string, it won't be parsed, so read won't become shopping:read.

[wangsijie]

Hi, after checking the RFC, "intersection" means scopes and resources, for example, by this config:

export const logtoConfig = {
  scopes: ['read', 'write'],
  resources: ['https://shopping.your-app.com/api', 'https://shopping2.your-app.com/api'],
};

You'll get scopes read and write for both resources (if authorized), which means you can use read and write for https://shopping.your-app.com/api, and also able to use read and write for https://shopping2.your-app.com/api.