Scope is a space-delimited string per RFC 6749 §3.3. A token with
"scope":[] indicates an issuer bug ([]string instead of SpaceDelimited
in the claims struct). Adds array cases to the existing invalid test
and explains the expected root cause.
SpaceDelimited must unmarshal from a space-delimited string per RFC 6749
§3.3, not a JSON array. If a token arrives with "scope":[] the issuer
has a bug (e.g. using []string instead of SpaceDelimited in its claims
struct). This test documents that expectation and will catch any attempt
to silently accept the invalid form.
Some issuers (e.g. PaperOS) emit `scope` as a JSON array (`[]` or
`["openid","profile"]`) instead of the RFC 6749 space-delimited string.
SpaceDelimited.UnmarshalJSON now accepts both forms; a JSON array
is converted to the equivalent slice. Other non-string, non-array
values still return an error.
Adds test cases: array_values and array_empty.
Distinguishes the two validator constructors by signature:
- NewIDTokenValidator(iss, aud, azp []string) — allowlist semantics
- NewAccessTokenValidator(iss, aud []string, requiredScopes ...string) — requirement semantics
Variadic scopes read naturally at the call site:
NewAccessTokenValidator(issuers, audiences, "openid", "profile")
Three-state semantics preserved:
no args → scope not checked
[]string{}... → scope must be present (any value)
"openid", ... → scope must contain all listed values
Also removes the old gracePeriod parameter from both constructors
(was 0 at all call sites; set GracePeriod on the struct directly
if a non-default value is needed).
Adds TestCov_NewAccessTokenValidator_Scopes covering all three cases.
