OAuth2 Device Code Flow requires to be used with a requested scope

[cwiejack]

I use the OAuth2 Authorization Server (V. 4.0.6) with an OAuth Client which supports the AuthorizationGrantType "urn:ietf:params:oauth:grant-type:device_code". When I request a device authorization via a POST request to "/oauth2/device_authorization" without any scope and later giving the consent on the "DefaultConsentPage" to the device an error is thrown.

I think the problem is located in 'OAuth2DeviceAuthorizationConsentAuthenticationProvider' line 182 following. In case the list of authorities is empty an error will be thrown. The message of that error is also some kind of misleading because the property "client_id" is mentioned missing. Should be "scope" instead.

To Reproduce

• Start the Application from the example
• Execute a device authorization request without any scope
• Open Browser and browse to URL given in the property "verification_uri_complete" of the previous authorization request.
• Login (test/test)
• Click "Submit Consent"

Expected behavior
Because the scope parameter in the initial device authorization request is optional I expect that i can give the consent if there was no requested scope.

Sample
Example Project: https://github.com/cwiejack/spring-authorizationserver-device-code-bug
see exampleRequests.http

[therepanic]

I have a hunch about this, it is a non-trivial problem, so I will submit a PR soon.