scope parameter is not returned by token exchange

[hcrohland]

Hi Jeb,

just started using your crate.

Your code assumes that the scope parameter is returned by the token exchange.
But the RFC states that it will be transmitted with the authorization callback.
So TokenResponse.scope is always none.

I am willing to work on a patch but I am unsure how to do it:

• Fill TokenResponse.scope in fn handle or...
• Change the callback interface to have an explicit parameter and remove the scope from struct TokenResponse.

The first one should be easy. But this field does not really belong in TokenResponse. And if we wanna add Refresh token support it would not be able to fill the scope field.

What do you think?

Cheers,
Christoph

[jebrosen]

But the RFC states that it will be transmitted with the authorization callback.

Where in the RFC does it state that? This crate only implements the Authorization Code Grant, which does require scope to be specified in the token response if it differs from the requested scope.

[hcrohland]

In https://tools.ietf.org/html/rfc6749#section-3.3 it states:
"The authorization and token endpoints allow the client to specify the
scope of the access request using the "scope" request parameter. In
turn, the authorization server uses the "scope" response parameter to
inform the client of the scope of the access token issued.
"
So only if you send a scope parameter the endpoints will answer with scope. The code only sends scope to the authorization endpoint, not to the token endpoint. So it only gets it back for authorization.

And this all makes sense to me. The user selects scope during authorization. He is not involved in token exchange. So we need to check scope after authorization.

[jebrosen]

I am not seeing where my implementation differs from the Authorization Code grant:

4.1.1. Authorization Request (rocket_oauth2 produces a redirect to authorization_uri(), including client_id, redirect_uri, and scope)
4.1.2. Authorization Response (the authentication server produces a redirect to the redirect_uri with code and state)
4.1.3. Access Token Request (rocket_oauth2 calls exchange_code(), passing code, state, and redirect_uri to the server)
4.1.4. Access Token Response (the server returns the fields in TokenResponse).

If you have example code that should be receiving a scope but isn't, that would be helpful.

[hcrohland]

Look at the pull request I created. It implements the first option.

Your code does not parse the scope response from the auth callback and by that looses the information. When I request authorization from strava scope was always None with your code. With the proposed change it is filled with the user selected scope.

[hcrohland]

Here is my oauth code:

`use rocket_oauth2::{Callback, OAuth2, OAuthConfig, TokenResponse};
use rocket_oauth2::hyper_sync_rustls_adapter::HyperSyncRustlsAdapter;

use rocket::response::Redirect;
use rocket::;
use rocket::http::;
use super::Config;
use reqwest::Url;
use crate::*;

// use super::error::ResultExt;
// use super::error::Result as MyResult;

fn callback(request: &Request, token: TokenResponse)
-> Result<Redirect, Box>
{

info!("got token {:?}", token);
if let Some(athlete) = token.extras.get("athlete") {
    info!("got athlete {} {}, with id {}", athlete["firstname"], athlete["lastname"], athlete["id"])
};
let mut cookies = request.guard::<Cookies>().expect("request cookies");

// Set a private cookie with the access token
cookies.add_private(
    Cookie::build("token", token.access_token)
        .same_site(SameSite::Lax)
        .finish()
);
Ok(Redirect::to("/"))

}

pub fn init_auth () -> impl rocket::fairing::Fairing {
let provider = rocket_oauth2::Provider {
auth_uri: "https://www.strava.com/oauth/authorize".into(),
token_uri: "https://www.strava.com/oauth/token".into()
};
let config = OAuthConfig::new(provider,
std::env::var("CLIENT_ID").expect("Couldn't read var CLIENT_ID"),
std::env::var("CLIENT_SECRET").expect("Couldn't read var CLIENT_SECRET"),
"http://localhost:8001/token".into());

OAuth2::custom(HyperSyncRustlsAdapter, callback, config, "/token", Some(("/login", vec!["activity:read_all".to_string()])))

}
`

[jebrosen]

After reading https://developers.strava.com/docs/authentication/ I can only conclude that Strava is either not compliant with the RFC or is not actually using the Authorization Code Grant. They do specify that they send scope in the authorization callback and not in the token response, which is not to spec.

https://tools.ietf.org/html/rfc6749#section-4.1.2 clearly lists only code and state as valid authorization callback parameters, and also says:

The client MUST ignore unrecognized response parameters.

---

I don't like the idea of adding lots of workarounds for noncompliant authentication servers, but unfortunately it seems necessary. I will think about the best way to include this change.

[hcrohland]

But it is in sync with section 3.3.
The RFC seems to be written ambiguously

[hcrohland]

I added a commit to only use the auth callback's scope if the token exchange did not return one.

[jebrosen]

But it is in sync with section 3.3.
The RFC seems to be written ambiguously

I don't see any ambiguity. Section 3.3 only says "the authorization server uses the "scope" response parameter" but does not specify where the response parameter appears. 4.1.4. specifies that it is part of the token response.

Nonetheless, I am going to accept an "early" scope in the auth callback if it is not provided in the token response.

[jebrosen]

0.1.0 is now available, including a fix for this issue.