-
Notifications
You must be signed in to change notification settings - Fork 114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Defer to Doorkeeper when scopes are missing #79
Closed
Closed
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
578fc0e
Update README.md
125a86f
Update README.md
90c7549
Add handling for invalid parameters in controller helper
76f8011
Merge branch 'fix_invalid_parameter_500'
f842e22
Defer to doorkeeper's default behavior with invalid params
d8a6e3d
Refactor to accomodate old behavior and desired behavior
38b129e
Merge pull request #1 from mavenlink/defer-to-doorkeeper-on-invalid-p…
urnf File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be clear - this PR is obviously meant to raise questions and NOT to be merged - we're curious if we need to guarantee the validity of
pre_auth
afterresource_owner_authenticator
is run. Are we supposed to verify thatpre_auth
is valid with a validclient
before we get to this point?If not, calling
scopes
can attempt tobuild_scopes
in the PreAuthorization with anil
client.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm not sure what you mean, can you rephrase?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for looking at this @toupeira !
I might be missing something about this, so correct me if I'm wrong with my assumptions:
Doorkeeper::OpenIDConnect::Helpers::Controller
overrides base Doorkeeper'sauthenticate_resource_owner!
, calls it (withsuper
), opens the resource owner returned, and runs OIDC specific behavior (prompt
analysis +max_age
check)pre_auth.client
is valid. Every other part of the PreAuthorization can be missing -redirect_uri
,scopes
, andresponse_type
can benil
and it'd still work fine because onlyscopes
is used in this context andscopes
in PreAuthorization does aclient
lookup if it's missing.authenticate_resource_owner!
is calling doorkeeper configresource_owner_authenticator
Because of that:
resource_owner_authenticator
need to validatepre_auth.client?
so that by the time we drop intoDoorkeeper::OpenIDConnect::Helpers::Controller:authenticate_resource_owner!
we guarantee thatpre_auth.scopes
doesn't raise an exception trying to grabclient
ifscopes
doesn't exist.I noticed that #80 puts it back in, so I think that answers the question.
That being said, I'm wondering if it's worth checking
pre_auth.valid?
rather than specificallypre_auth.client
.Would it make sense to ensure that
response_type
,client
,redirect_uri
are valid before we take action (they seem required in the OIDC RFC?) or is it something you want to leave to the base Doorkeeper gem itself when we finish and it drops down to theauthorized_applications_controller
orauthorizations_controller
?Let me know if it's a concern I should put on that PR. Thanks!