-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Closes #5913: Add new sessionToken scope #6155
Conversation
Codecov Report
@@ Coverage Diff @@
## master #6155 +/- ##
============================================
- Coverage 18.93% 18.93% -0.01%
Complexity 436 436
============================================
Files 288 288
Lines 11287 11288 +1
Branches 1536 1536
============================================
Hits 2137 2137
- Misses 8988 8989 +1
Partials 162 162
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, provided both pairing and regular flows work :-)
Still seems to crash in @vladikoff 's local testing. |
@vladikoff any updates on this? |
We should probably wait for Firefox 71. @rfk do you have any other ideas? I am wondering if we can do something to "handle" crashes that happen if the OAuth |
I'm fine with waiting for 71 (a month from now). |
Depends how we feel about the experience on ESR. The reason this is a problem on 70 but not 71, is that 70 uses BrowserID assertions for authorizing OAuth codes, while 71 directly uses its sessionToken. Since BrowserID assertions don't tell you what sessionToken was used to generate them, we can't track the sessionToken info through the OAuth code grant and use it to generate a cloned session on the other side. ow that danny has landed phase 2 of the auth/oauth server merger, it's possible that we could do something more clever on the server-side here. For example, I believe BrowserID assertions embed the originating deviceId, we might be able to use that to look up the sessionToken that should be associated with a particular OAuth code. Alternately, when claiming the code, the server could detect the case where we can't generate a sessionToken and could remove it from the list of granted scopes, rather than failing the whole request. The client would need to be prepared to handle the case where it doesn't get granted all the scopes it requested, but OAuth clients should in theory be prepared for that at any time. |
123c1f6
to
d4343c0
Compare
@grigoryk Rebased! |
d4343c0
to
55143be
Compare
55143be
to
857a3b2
Compare
Relanding #5914
@grigoryk r?