-
Notifications
You must be signed in to change notification settings - Fork 6
-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
oauth2 not possible with google-oauth-java-client #164
Comments
please see: https://tools.ietf.org/html/rfc6749#section-3.3 |
here's a side by side comparison
This clearly shows how twitch token endpoint fails to follow RFC
That's the reason why googles oauth lib fails to parse the scope correctly - cause twitch serves it wrong. This has to be fixed! Get this straight - and fix a lot of crap you caused by it ... |
Thanks for your feedback regarding the scope format. While we strive to follow RFCs as closely as possible, occasionally deviations do occur. Changing our scope value from an array to a space-separated string would be a significant breaking change for existing applications. Making this change to be inline with the RFC does not outweigh the disruption it will cause, so we will not be updating the format in the current implementation. This may be something to consider in a future implementation, but as there is no action at this time, this issue will be closed. |
@jbulava given this breaks basically every oauth library, and as you said, a full switch is not reasonable for compatibility, would it be possible to bodge it? Most, if not all libraries have a way to set the scopes requested, and I was wondering if it would be possible to check for a specific new scope "space_seperated_scopes" for example. In the case where the scope exists, the scopes are returned as a space separated string following the RFC. Anyone who doesn't want to switch, doesn't have to, and anyone who wants to use a library still can. Theoretically this could also allow for an easier transition period to using the rfc implementation at some point in the future as well. |
Thanks for the follow up. I'll bring this idea to the team that oversees authentication. |
@jbulava any update on this? I wrote an in-between service that handles things, but I would rather not need to host an entire extra program if not needed. |
Is it possible to get an update on this? |
Almost a year later, can we get an update on this? This is a pretty critical issue for most people who use an IdP broker. Obviously a breaking change would be bad, but you already use a non standard |
There are multiple ways for this to be implemented in a backwards compatible way, as described already. Having a non-standard OAuth2 makes almost all language-specifc libraries break. This is a major pain point, as our options are to either fork, or play whack-a-mole trying to implement workarounds for all OAuth2 libraries... if this kind of workarounds are in line with the libraries' philosophy in the first place. If there is an internal reason why this can't be implemented, I'd understand, but limiting the fix to a disruptive implementation just means that Twitch does not deem it financially worth it to spend the developer time to support a nondisruptive fix. I'd like to charitable, but this was reported 2.5 years ago, and several people suggested suitable fixes, and like I said, this is a major pain point in the Twitch API. @jbulava any updates? |
As the maintainer of two such Rust libraries (https://github.com/ramosbugs/oauth2-rs and https://github.com/ramosbugs/openidconnect-rs), I think it would be nice for Twitch and other companies who fail to follow the RFCs to at least chip in and sponsor the libraries that have to regularly respond to these issues. I've had at least 4 issues/PRs filed by Twitch users alone. 🙄 The cavalier attitude demonstrated by "occasionally deviations do occur" while completely externalizing the impacts of these engineering mistakes to third-party maintainers and devs trying to build integrations is offensive, honestly. |
Just found the reply while cleaning my mail server - 4 years and NOTHING has happend? This is just ridiculous. @jbulava Are there ANY updates since? How about pitching this issue again? Oh, btw - as this issue is still present - how about re-opening it? Closing github issues means the problem was resolved - which this here clearly is not! |
please see: googleapis/google-oauth-java-client#487
possible cause of issue: token endpoint return scopes as array with single space separated string
but google-oauth-lib actually expects just space separated string without the array brackets around it
don't know if root cause of issue is caused by bad json implementation in googles lib or on twitch reply
The text was updated successfully, but these errors were encountered: