From d83751ad506974832ab8329a62a7ef35a62f28b9 Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Thu, 26 Mar 2026 18:21:28 -0600 Subject: [PATCH] test(jwt): document why arrays are invalid for SpaceDelimited scope MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Scope is a space-delimited string per RFC 6749 §3.3. A token with "scope":[] indicates an issuer bug ([]string instead of SpaceDelimited in the claims struct). Adds array cases to the existing invalid test and explains the expected root cause. --- auth/jwt/coverage_test.go | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/auth/jwt/coverage_test.go b/auth/jwt/coverage_test.go index 00b9803..14008d7 100644 --- a/auth/jwt/coverage_test.go +++ b/auth/jwt/coverage_test.go @@ -220,22 +220,19 @@ func TestCov_SpaceDelimited_UnmarshalJSON(t *testing.T) { t.Fatalf("expected empty, got %v", s) } }) + // Scope must be a space-delimited string per RFC 6749 §3.3, not a number or + // JSON array. If a token arrives with "scope":[] the issuer has a bug (e.g. + // using []string instead of SpaceDelimited in its claims struct). t.Run("invalid", func(t *testing.T) { var s SpaceDelimited if err := json.Unmarshal([]byte(`123`), &s); err == nil { t.Fatal("expected error") } - }) - // Scope must be a space-delimited string per RFC 6749 §3.3, not a JSON array. - // If a token arrives with "scope":[] it means the issuer has a bug (e.g. using - // []string instead of SpaceDelimited in its claims struct). - t.Run("array_is_invalid", func(t *testing.T) { - var s SpaceDelimited if err := json.Unmarshal([]byte(`[]`), &s); err == nil { - t.Fatal("expected error for array-typed scope; issuer may have a []string bug") + t.Fatal("expected error") } if err := json.Unmarshal([]byte(`["openid","profile"]`), &s); err == nil { - t.Fatal("expected error for array-typed scope; issuer may have a []string bug") + t.Fatal("expected error") } }) }