Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Use scope asked by the client if any #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 3, 2014
Merged

Use scope asked by the client if any #64

merged 1 commit into from
Nov 3, 2014

Conversation

pyrech
Copy link

@pyrech pyrech commented Jul 13, 2014

RefreshTokens always had a default scope (the config supported_scopes in FosOAuthServerBundle) instead of the scope asked by the client if any.

@Spomky
Copy link

Spomky commented Jul 13, 2014

Your are right, this part must be updated, but your PR does not solve the problem and it creates a new (security) issue.

According to the RFC, The requested scope MUST NOT include any scope not originally granted by the resource owner, and if omitted is treated as equal to the scope originally granted by the resource owner.

With your PR, if a refresh token has "scope1 scope2" and the client request "scope4", it will receive an access token and a refresh token with "scope4".
If the client request no scope, the server will issue an access token and a refresh token without any scope, which is wrong too.

The logic should be:

if no scope is requested, then stored scope is used
else,
    if scope is requested, the scope must be within stored scope
    else exception

@pyrech
Copy link
Author

pyrech commented Jul 13, 2014

Thanks, you're absolutely right. I edited the class and updated the test.

@Spomky
Copy link

Spomky commented Jul 14, 2014

You should add some new test to verify the following cases:

  • no scope requested: the refresh token has the scope defined in the old refresh token
  • new scope requested: the exception is thrown

@pyrech
Copy link
Author

pyrech commented Jul 14, 2014

Done :)

@pyrech pyrech changed the title Fixed wrong scope(s) associated to accessToken Use scope asked by the client if any Jul 14, 2014
@pyrech pyrech mentioned this pull request Jul 14, 2014
Open
@jaytaph
Copy link

jaytaph commented Sep 10, 2014

Really like to see this PR merged as well.

@Spomky
Copy link

Spomky commented Nov 2, 2014

It can be merged.
@pyrech could you please rebase and squash your PR please?

@pyrech
Fixed wrong scope(s) associated to accessToken
0f6fc0d 
Conflicts:
	lib/OAuth2/OAuth2.php
@pyrech
Copy link
Author

pyrech commented Nov 2, 2014

Done

@Spomky
Copy link

Spomky commented Nov 3, 2014

@pyrech many thanks!
@alanbem looks good to me. Can be merged.

alanbem added a commit that referenced this pull request Nov 3, 2014
@alanbem
Merge pull request #64 from pyrech/patch-1
23e7653 
Use scope asked by the client if any
@alanbem alanbem merged commit 23e7653 into FriendsOfSymfony:master Nov 3, 2014
@alanbem
Copy link
Member

alanbem commented Nov 3, 2014

@alanbem looks to me. Can be merged.

done!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@pyrech @Spomky @jaytaph @alanbem @lsmith77