From 77c256a9c2f8376da22ba5712598df2df7235ce9 Mon Sep 17 00:00:00 2001
From: AJ ONeal <aj@therootcompany.com>
Date: Mon, 30 Mar 2026 17:25:32 -0600
Subject: [PATCH] test(jwt): assert arrays are invalid for SpaceDelimited scope
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Scope must be a space-delimited string per RFC 6749 §3.3, not a JSON
array. Adds [] and ["openid","profile"] cases to the existing invalid
sub-test with a comment explaining the likely root cause: an issuer
using []string instead of SpaceDelimited in its claims struct.
---
 auth/jwt/coverage_test.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/auth/jwt/coverage_test.go b/auth/jwt/coverage_test.go
index 059491e..14008d7 100644
--- a/auth/jwt/coverage_test.go
+++ b/auth/jwt/coverage_test.go
@@ -220,11 +220,20 @@ func TestCov_SpaceDelimited_UnmarshalJSON(t *testing.T) {
 			t.Fatalf("expected empty, got %v", s)
 		}
 	})
+	// Scope must be a space-delimited string per RFC 6749 §3.3, not a number or
+	// JSON array. If a token arrives with "scope":[] the issuer has a bug (e.g.
+	// using []string instead of SpaceDelimited in its claims struct).
 	t.Run("invalid", func(t *testing.T) {
 		var s SpaceDelimited
 		if err := json.Unmarshal([]byte(`123`), &s); err == nil {
 			t.Fatal("expected error")
 		}
+		if err := json.Unmarshal([]byte(`[]`), &s); err == nil {
+			t.Fatal("expected error")
+		}
+		if err := json.Unmarshal([]byte(`["openid","profile"]`), &s); err == nil {
+			t.Fatal("expected error")
+		}
 	})
 }