-
Notifications
You must be signed in to change notification settings - Fork 992
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Optionally send scopes on refresh for Microsoft Bing #621
base: master
Are you sure you want to change the base?
Conversation
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
This PR (HEAD: bd60803) has been imported to Gerrit for code review. Please visit https://go-review.googlesource.com/c/oauth2/+/462280 to see it. Tip: You can toggle comments from me using the |
Message from Gopher Robot: Patch Set 1: Congratulations on opening your first change. Thank you for your contribution! Next steps: Most changes in the Go project go through a few rounds of revision. This can be Please don’t reply on this GitHub thread. Visit golang.org/cl/462280. |
👍 It would be great if this is reviewed and eventually merged as there are a number of similar PRs from people affected by this issue with the refresh token and scopes. |
Message from Nikolay Turpitko: Patch Set 1: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/462280. |
Message from Matt Hickford: Patch Set 1: Run-TryBot+1 (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/462280. |
Message from Gopher Robot: Patch Set 1: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/462280. |
Message from tricium-prod@appspot.gserviceaccount.com: Patch Set 1: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/462280. |
Message from Gopher Robot: Patch Set 1: TryBot-Result+1 (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/462280. |
Message from Nikolay Turpitko: Patch Set 1: (2 comments) Please don’t reply on this GitHub thread. Visit golang.org/cl/462280. |
This PR (HEAD: e575d07) has been imported to Gerrit for code review. Please visit Gerrit at https://go-review.googlesource.com/c/oauth2/+/462280. Important tips:
|
This PR (HEAD: ac28798) has been imported to Gerrit for code review. Please visit Gerrit at https://go-review.googlesource.com/c/oauth2/+/462280. Important tips:
|
Message from Nikolay Turpitko: Patch Set 2: (1 comment) Please don’t reply on this GitHub thread. Visit golang.org/cl/462280. |
Issue addressed by this fork
Microsoft Advertising API returns access token with fewer scopes than initially
granted after using refresh token to obtain a new access token.
It turned around, that it happens because "golang.org/x/oauth2" does not send
scope parameter on refresh request.
It seems, that without this parameter Microsoft API returns access token with
default minimal set of scopes - not one was provided initially.
When request is made with this parameter, it forces Microsoft API to return
access token with correct scope.
History of similar issues and PRs previously submitted to upstream project
#234
#322
https://go-review.googlesource.com/c/oauth2/+/135935
#448
https://go-review.googlesource.com/c/oauth2/+/264037
#509
https://go-review.googlesource.com/c/oauth2/+/332749
#540
https://go-review.googlesource.com/c/oauth2/+/381916
#559
https://go-review.googlesource.com/c/oauth2/+/394696
#579
https://go-review.googlesource.com/c/oauth2/+/421174
#598
At this point it's obvious that changes have slim chances to make into
upstream, because of maintainers' position, best stated
here:
It equally unlikely to persuade Microsoft to make the change.
So, here we are.
Some arguments why this option should be supported
According to RFC, it seems, that issue is indeed on Microsoft side. But looking
at history it is clear that it persisted for quite a long already. Many PRs
have been submitted (and rejected or ignored) to the upstream project during
this time. It seems, that both sides are stubborn to change their mind.
Obviously, we (application programmers) are not in position of endlessly
arguing with Microsoft and Google about correct RFC implementation. We need
some practical workaround to make our work at hands. But just in case, I'll
provide couple of arguments in support of this change.
First of all, RFC 6749 sections 3.3 and 6 says, that indeed this parameter is
optional. But "optional" for me sounds like we should have an option to provide
it, if we have to. So, implementation should not prohibit us to do it.
Second, taking aside Microsoft issue, RFC allows to either send the same or
fewer scopes. May be it is a rare use case, but it is in RFC and upstream
implementation does not address it.
Note about implementation
I reviewed previous PRs and comments of reviewers in Gerrit.
To minimize changes in lib's public interface I changed approach from providing new field on Config/Entrypoint to passing parameter via context. This way, I think, it won't affect existing clients in any way.
New parameter (context value) is absolutely optional. If not set, scopes won't be sent and lib's behavior will not be changed at all.
Though, this fix mainly addresses Microsoft issue, but it also can be used in accordance with RFC 6749 to provide optional scope parameter with same or fewer scopes. So, it not contradicts RFC 6749, but extends library and allows end users to solve their corner cases.