fix: accessToken scopes clean serialization and default as empty list #1125
Conversation
| String scopes = | ||
| OAuth2Utils.validateOptionalString( | ||
| List<String> scopes = | ||
| OAuth2Utils.validateOptionalListString( |
There was a problem hiding this comment.
For the existing token with string-typed scopes in the token store, this validation will fail, and they need to refresh to get a new access token?
There was a problem hiding this comment.
The feature is not shipped yet, it was checked in late last year. Basically trying to improve it before it is shipped.
There was a problem hiding this comment.
added this detail to the change description
There was a problem hiding this comment.
This makes sense as we do not need to worry about breaking existing customers.
| throw new IOException( | ||
| String.format(VALUE_WRONG_TYPE_MESSAGE, errorPrefix, "List<String>", key)); | ||
| } | ||
| return (List<String>) value; |
There was a problem hiding this comment.
There is no type check for List<String>. Check is for List. What happens if value is something like List<Int>
There was a problem hiding this comment.
Should be acceptable as we serialize ourselves. And if the type is wrong its most likely tampered and will fail anyways.
Removing extra processing from access token copes serialization
Making empty list of scopes as default, no null
The original change that introduces Scopes into AccessToken is not shipped yet, therefore this change does not change the existing behavior