fix(oauth-provider): resolve include: scopes at PAR time#186
Merged
Conversation
PAR was structurally validating `include:<nsid>` scopes (parseScope with allowIncludes=true) but deferring lexicon resolution to the authorize step. A request with a nonexistent permission-set NSID would get a fresh request_uri from PAR and only fail at consent — which is the exact dead-end the original allowIncludes flag claimed to avoid. Reference oauth-provider resolves eagerly at PAR (request-manager.ts: 297-313). Plumb the permissionSetResolver through PARHandler and call expandScope() after parseScope; any resolution failure returns invalid_scope with the NSID in error_description. Constructor now takes the resolver directly (previously a derived allowIncludes boolean). Two new tests cover the resolver-rejects and resolver-accepts cases.
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
pdscheck | 2e0b25a | May 24 2026, 10:29 PM |
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
atproto-pds | 2e0b25a | May 24 2026, 10:29 PM |
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
cirrusdocs | 2e0b25a | Commit Preview URL Branch Preview URL |
May 24 2026, 10:29 PM |
commit: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pdscheck's `flow.par-rejects-invalid-include` flagged Cirrus accepting a deliberately bogus permission-set NSID at PAR. Reference oauth-provider rejects this case at PAR (`request-manager.ts:297-313`); Cirrus was structurally validating the scope but deferring lexicon resolution to the authorize step, so the bad include only surfaced at consent time.
Fix
Test plan