From c974a59f41ed7a17076e07ac91f6cf6635a749b6 Mon Sep 17 00:00:00 2001
From: Sara Arjona <sara@moodle.com>
Date: Tue, 16 Mar 2021 12:32:20 +0100
Subject: [PATCH] MDL-71119 core_badges: Initialise scopes param in
 backpack-connect.php

The scopes parameter should be passed when creating the OAuth2 badges
client. As it is an optional parameter, when it's empty, it will
be initilised with the supported scopes for the backpack issuer.

It will happen, for instance, when a call is done to oauth2callback.php
because, as defined in RFC6749, OAuth2 authorization response only
supports code and state.
---
 badges/backpack-connect.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/badges/backpack-connect.php b/badges/backpack-connect.php
index ff77f490ee585..0dceb336a8a37 100644
--- a/badges/backpack-connect.php
+++ b/badges/backpack-connect.php
@@ -43,6 +43,10 @@
     $returnurl = new moodle_url('/badges/backpack-connect.php',
         ['action' => 'authorization', 'sesskey' => sesskey(), 'backpackid' => $backpackid]);
 
+    // If scope is not passed as parameter, use the issuer supported scopes.
+    if (empty($scope)) {
+        $scope = $issuer->get('scopessupported');
+    }
     $client = new core_badges\oauth2\client($issuer, $returnurl, $scope, $externalbackpack);
     if ($client) {
         if (!$client->is_logged_in()) {