Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't see how and why oauth2_backend:verify_resowner_scope/3 returns a client #44

Closed
IvanMartinez opened this issue Jul 15, 2014 · 2 comments
Closed

Can't see how and why oauth2_backend:verify_resowner_scope/3 returns a client #44

IvanMartinez opened this issue Jul 15, 2014 · 2 comments

Comments

@IvanMartinez
Copy link
Contributor

Hello all,
I can't understand the change made here to verify_resowner_scope's result:
511fc9c
How can the function return a client from a resource owner and a scope?. And what is the point of doing so?. Apparently it has to be the same client as the one returned by get_client_identity/2 in oauth2:authorize_code_request/6. How is this supposed to work?.
Thank you,
Ivan
@drobakowski
Copy link
Contributor

Hi @IvanMartinez,

this change was introduced to solve a problem that occurred while using oauth2:authorize_password/4 (not oauth2:authorize_code_request/6) and afterwards trying to use oauth2:refresh_access_token/2. For more details please see #38. I also don’t see a way how the client can be obtained directly from the resource owner and scope. It should be obtained from your backend context maybe through a mapping resource owner -> client and depend on your implementation. How do you verify if the scope is valid for the resource owner, couldn’t you also use this context for a resource owner -> client mapping? An maybe not so "clean" alternative could also be the AppCtx?

Greets,
David

drobakowski referenced this issue Jul 15, 2014
@drobakowski
Add additional oauth2:authorize_password/6 with previous client authe…
511fc9c 
…ntication and fix for #38

WARNING: Breaks the compatibility with existing backend implementations

The client can now be authenticated before the resource owner's
credentials. See RFC6749 / Section 4.3.2 for more details.
In addition to AppCtx and Scope, oauth2_backend:verify_resowner_scope/3
now returns the ClientIdentity so that oauth2:authorize_resource_owner/3
can set the client for the #authorization{} record and
oauth2:refresh_access_token/5 can be successfully executed.
@IvanMartinez
Copy link
Contributor Author

Hello David,
The spec is not obvious about this, but I understand (specially from points 1.5 and 6) that only confidential (authenticated) clients can get refresh tokens. So if oauth2:authorize_password/4 is used no refresh token must be issued and oauth2:refresh_access_token/2 won't be used. Issuing refresh tokens to public clients doesn't look secure to me and raises many issues, as we can see here.
Greetings,
Ivan

IvanMartinez pushed a commit to IvanMartinez/oauth2 that referenced this issue Jul 16, 2014
Fixes kivra#44 by assuming only confidential clients get refresh tokens.
300adf1
IvanMartinez pushed a commit to IvanMartinez/oauth2 that referenced this issue Jul 17, 2014
Fixes kivra#44 by assuming only confidential clients get refresh tokens.
f9003a1
IvanMartinez pushed a commit to IvanMartinez/oauth2 that referenced this issue Jul 17, 2014
Fixes kivra#44 by assuming only confidential clients get refresh tokens.
b955958
IvanMartinez pushed a commit to IvanMartinez/oauth2 that referenced this issue Jul 17, 2014
Fixes kivra#44 by not issuing refresh tokens to public clients.
2e6b616
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@drobakowski @IvanMartinez