Thanks to visit codestin.com
Credit goes to github.com

Skip to content

scope is optional in code response_type? #406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ryarnyah opened this issue Feb 22, 2016 · 3 comments
Closed

scope is optional in code response_type? #406

ryarnyah opened this issue Feb 22, 2016 · 3 comments
Labels
Bug OAuth2-Provider This impact the provider part of OAuth2
Milestone
3.0.0

Comments

@ryarnyah
Copy link

Hi!

When i read the doc in _oauthlib/oauth2/rfc6749/grant_types/authorization_code.py_, i can see :
scope OPTIONAL. The scope of the access request as described by Section 3.3_.

But this check assume that scopes is mandatory
if not request.scopes: raise ValueError('Scopes must be set on post auth.')

Am i misunderstanding something?
@romsuhov
Copy link

romsuhov commented Mar 1, 2016

I encountered the same behavior and I don't understand it too. RFC says that scope is optional, exception should not be raised.

@btimby
Copy link

btimby commented Mar 27, 2017

This one bit me too. I monkey-patched it.

# A bit of monkey patching here. OAuthlib states that scope are optional, also
# RFC6749 confirms this, however, one method of the AuthorizationCodeGrant
# class requires scopes to be defined. As I don't know if we are going to use
# scopes, or what the scopes might be, I am going to monkey-patch this class to
# make scopes optional.
#
# https://github.com/idan/oauthlib/issues/406

# Some imports we need for the patching of the monkey...
from oauthlib.oauth2.rfc6749 import errors


def create_authorization_response(self, request, token_handler):
    """
    Monkey-patched version of this method that allows undefined scopes.
    """
    try:
        # Right here is where the base method checks scopes. We omit this check
        # but the rest of the method body is identical.

        self.validate_authorization_request(request)

        log.debug('Pre resource owner authorization validation ok for %r.',
                  request)
    except errors.FataClientError as e:
        log.debug('Fatal client error during validation of %r. %r.',
                  request, e)
        raise
    except errors.OAuth2Error as e:
        log.debug('Client error during validation of %r. %r.', request, e)
        request.redirect_uri = request.redirect_uri or self.error_uri
        return {
            'Location': common.add_params_to_uri(request.redirect_uri,
                                                 e.twotuples)
        }, None, 302

    grant = self.create_authorization_code(request)
    for modifier in self._code_modifiers:
        grant = modifier(grant, token_handler, request)
    log.debug('Saving grant %r for %r.', grant, request)
    self.request_validator.save_authorization_code(
        request.client_id, grant, request)
    return self.prepare_authorization_response(
        request, grant, {}, None, 302)


from oauthlib.oauth2.rfc6749.grant_types.authorization_code import (
    AuthorizationCodeGrant, log
)

AuthorizationCodeGrant.create_authorization_response = \
    create_authorization_response

# Now we can import the rest of what we need from oauthlib.

@skion skion added this to the 3.0.0 milestone Jul 1, 2018
@JonathanHuot
Copy link
Member

You are right, a PR related to this for Implicit has been proposed already at #475, we should extend it to AuthCode!

@luhn luhn mentioned this issue Sep 2, 2018
Merged
@JonathanHuot JonathanHuot added Bug OAuth2-Provider This impact the provider part of OAuth2 labels Dec 3, 2018
@JonathanHuot JonathanHuot mentioned this issue Dec 3, 2018
Closed
23 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug OAuth2-Provider This impact the provider part of OAuth2
Projects
None yet
Milestone
3.0.0
Development

No branches or pull requests
5 participants
@skion @btimby @JonathanHuot @ryarnyah @romsuhov