Why get_authorization_code_scopes is called before validate_code?

[Alemmi]

The validator function get_authorization_code_scopes is called before validate_code, and it is not logical. Why?

• I'm using OIDC
• I'm writing server side

[JonathanHuot]

Hi @Alemmi,

I think that's related to a oauthlib design issue when doing OIDC.
oauthlib needs the "scope" to determine if we have "openid" in it. If yes, it calls the OpenID flow, else it calls the OAuth2 flow. That's the Dispatcher.

Any PRs welcome to improve the situation, but it will involves to find another mechanism to replace the Dispatcher.

If oauthlib remains as it is, I'd recommand to implement both functions, but get_authorization_code_scopes do the actual validation but returns [] if the code is invalid, and validate_code only return the validation status done at the previous callback.