Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

@fastify/oauth2 - Is it possible to request an additional scope programmatically for oAuth Github #900

Open
agjs opened this issue Jun 29, 2023 · 7 comments
Labels
help wanted Extra attention is needed

Comments

@agjs
Copy link

agjs commented Jun 29, 2023

Hey folks. I'm using @fastify/oauth2 and it works flawlessly for many months now. I'd like to implement a feature in the platform I'm building, where our users could sync their public github repositories with their profiles.

Whatsoever, my fastify/oauth2 by default is configured with only 2 scopes that I really need for authentication:

    await app.register(oAuth2, {
        name: GH_OAUTH_NAME,
        scope: "user:email read:user",
        credentials: {
            client: {
                id: process.env.GH_CLIENT_ID,
                secret: process.env.GH_CLIENT_SECRET,
            },
            auth: oAuth2.GITHUB_CONFIGURATION,
        },

        startRedirectPath: "/auth/github/auth",
        callbackUri: process.env.GH_CALLBACK_URL,
    });

As you can see, I only request a user email and profile when users are authenticating. Whatsoever, I'd like to request a repo scope only if the users actually decide to sync their repositories. In simple words, I don't want to ask users for repo scope when they are logging in, as I don't know if they will ever want to sync the actual repositories.

So the question is, is it possible to request this additional scope when requesting a new token using some of the methods from the library. I've checked the types of all the existing methods, and it doesn't seem like it. In simple words, when users in my platform click "Sync repositories", I'd like to invoke an oauth flow where I only request a repo scope to perform that action.

Thanks in advance,
Alex

@agjs agjs added the help wanted Extra attention is needed label Jun 29, 2023
@Uzlopak
Copy link

Uzlopak commented Jun 29, 2023

Shouldnt it be possible to call token.refresh({scope}) and specify your additional scope?

@agjs
Copy link
Author

agjs commented Jun 29, 2023

@Uzlopak It seems that .refresh doesn't exist on the token that I at least get back from getAccessTokenFromAuthorizationCodeFlow. I only see three properties: access_token, scope and token_type

image

@Uzlopak
Copy link

Uzlopak commented Jun 29, 2023

I checked it. The issue is, that simple-oauth does not provide the typings within the npm package. Also it seems, that simple-oauth wants to keep the typings maintained by definetly typed.

See
lelylan/simple-oauth2#334

If we want to make the typings stronger, we would either integrate the simple-oauth2 typings from definetly typed, which is not really preferable or add the typings as production dependency, which would mean that the typings are also installed when running the code in production, which is also not that preferable.

But the refresh function exists on the token-object. So you could actually call refresh.

Be aware, that you probably would get a new access token with the smaller scope, if you dont specify the scopes you already have. I dont know if simple-oauth would result in redirecting the SPA to the Authorization Server so that you could approve scopes, which you didnt approve at login time. If not, than it is a limitation of simple-oauth2 and would need a patch upstream to enable that.

@agjs
Copy link
Author

agjs commented Jun 30, 2023

I checked it. The issue is, that simple-oauth does not provide the typings within the npm package. Also it seems, that simple-oauth wants to keep the typings maintained by definetly typed.

See lelylan/simple-oauth2#334

If we want to make the typings stronger, we would either integrate the simple-oauth2 typings from definetly typed, which is not really preferable or add the typings as production dependency, which would mean that the typings are also installed when running the code in production, which is also not that preferable.

But the refresh function exists on the token-object. So you could actually call refresh.

Be aware, that you probably would get a new access token with the smaller scope, if you dont specify the scopes you already have. I dont know if simple-oauth would result in redirecting the SPA to the Authorization Server so that you could approve scopes, which you didnt approve at login time. If not, than it is a limitation of simple-oauth2 and would need a patch upstream to enable that.

The problem is, I tried calling token.refresh() and it's undefined in the context provided on the screenshot above. Am I calling a wrong method? As you can see on my screenshot, the token has 3 primitive properties and has no refresh method on it's constructor or anywhere else.

@Uzlopak
Copy link

Uzlopak commented Jun 30, 2023

I am now in the tram and not on my PC. But if have the code of simple-oauth2 correctly in mind, you are accessing the .token attribute of the AccessToken-Instance, by doing const { token } = ...

Do instead const token =

Than you should have refresh()

@agjs
Copy link
Author

agjs commented Jun 30, 2023

I am now in the tram and not on my PC. But if have the code of simple-oauth2 correctly in mind, you are accessing the .token attribute of the AccessToken-Instance, by doing const { token } = ...

Do instead const token =

Than you should have refresh()

Ah, gotcha ya. I'll ping you back also once I'm back from work and let you know if it worked.

Thanks for help again, getting back to you soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

2 participants