-
Notifications
You must be signed in to change notification settings - Fork 215
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: Scopes from UserInfo object not propagated for all authentication providers. #2164
Comments
Hey @jblankenship5! I understand the confusion around this. I need to update my answer in the discussion you engage in as well (source). In order to set the scopes for a user you should use the There is however an issue here that needs to be fixed. For all providers (except the email provider) the scopes defined in the user are not used when creating new authentication keys. This means the authenticatoin key might have zero scopes when authenticated through the google provider even though the user has been granted additional scopes. This is a bug that we need to fix and I will update the title of the issue to better reflet it. |
You can also use the authentication callback |
Thanks for the quick response @SandPod. Could you provide a little more detail around best practices when using It would be great if I could return the updated scopes after setting them, or get the updated scopes via listener on SessionManager from client side. |
Unfortunately, this is a consequence of the bug that this issue is targeted to fix. Once resolved, the scopes defined on the
The authentication information stored in the session object is retrieved as soon as the framework or the developer makes a call to Therefore, when you fetch the scopes through
Note that scopes is a server-only concept. The client only gets an authentication key that is tied to certain scopes stored on the server. The client should never be responsible for defining what scopes are granted a user as that would make it easy for a bad actor to escalate their privilage. Best practicesWe first of all need to fix the issue where scopes are not retrieved from |
I'm using google sign in... there's nothing in docs (that I've seen) about how to set user scopes that works. I can set the user scopes, but that corresponds to the user scopes in the
UserInfo
table... which doesn't actually mean anything? I saw in another post that you have to set user scopes on sign in withsession.auth.signInUser
. Does anyone know how to achieve this with google sign in?The text was updated successfully, but these errors were encountered: