Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Be more conservative when validating scopes. #72
Imagine that a client requests a token with scopes
def validate_scopes(self, client_id, scopes, client, request, *args, **kwargs): """Ensure the client is authorized access to requested scopes.""" if set(client.default_scopes).issuperset(set(scopes)): return True if hasattr(client, 'validate_scopes'): return client.validate_scopes(scopes) return True
If I haven't defined that method on the second conditional, a provider using this default method will approve the generation of a token with more scopes than it should be allowed to have.
I realize developers can currently avoid this behavior in two ways:
Regardless, it seems weird to have the most permissive and possibly dangerous option be the default one.
I have a follow up question concerning why