-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
scope parameter is not returned by token exchange #2
Comments
Where in the RFC does it state that? This crate only implements the Authorization Code Grant, which does require |
In https://tools.ietf.org/html/rfc6749#section-3.3 it states: And this all makes sense to me. The user selects scope during authorization. He is not involved in token exchange. So we need to check scope after authorization. |
I am not seeing where my implementation differs from the Authorization Code grant: 4.1.1. Authorization Request ( If you have example code that should be receiving a |
Look at the pull request I created. It implements the first option. Your code does not parse the scope response from the auth callback and by that looses the information. When I request authorization from strava scope was always None with your code. With the proposed change it is filled with the user selected scope. |
Here is my oauth code: `use rocket_oauth2::{Callback, OAuth2, OAuthConfig, TokenResponse}; use rocket::response::Redirect; // use super::error::ResultExt; fn callback(request: &Request, token: TokenResponse)
} pub fn init_auth () -> impl rocket::fairing::Fairing {
} |
After reading https://developers.strava.com/docs/authentication/ I can only conclude that Strava is either not compliant with the RFC or is not actually using the Authorization Code Grant. They do specify that they send https://tools.ietf.org/html/rfc6749#section-4.1.2 clearly lists only
I don't like the idea of adding lots of workarounds for noncompliant authentication servers, but unfortunately it seems necessary. I will think about the best way to include this change. |
But it is in sync with section 3.3. |
I added a commit to only use the auth callback's scope if the token exchange did not return one. |
I don't see any ambiguity. Section 3.3 only says "the authorization server uses the "scope" response parameter" but does not specify where the response parameter appears. 4.1.4. specifies that it is part of the token response. Nonetheless, I am going to accept an "early" scope in the auth callback if it is not provided in the token response. |
0.1.0 is now available, including a fix for this issue. |
Hi Jeb,
just started using your crate.
Your code assumes that the scope parameter is returned by the token exchange.
But the RFC states that it will be transmitted with the authorization callback.
So TokenResponse.scope is always none.
I am willing to work on a patch but I am unsure how to do it:
The first one should be easy. But this field does not really belong in TokenResponse. And if we wanna add Refresh token support it would not be able to fill the scope field.
What do you think?
Cheers,
Christoph
The text was updated successfully, but these errors were encountered: