Comments (6)
darthmaim
commented on July 19, 2024
I thought the same, it should only ask for authorization the first time or when the requested scopes changed.
from api-cdi.
kjintar
commented on July 19, 2024
The authorization is stored on ArenaNets side but there seems to be no check whether an authorization was granted earlier or not. (It has to be stored because of the 'offline' scope and the possibilty to revoke authorization.)
I would agree with you. This behavior is common in most implementations. The current behavior can confuse end users.
from api-cdi.
lye
commented on July 19, 2024
This is intended -- if you want to persistently log in a user, you should include the offline scope in your authorization request, then store the returned refresh token. You can use the refresh token forevermore to get new access tokens without prompting the user (at least, until they revoke your app).
There are more details in RFC 6749 Β§1.5 and Β§6.
(EDIT: though this behavior isn't really set in stone).
(EDIT2: okay, after an internal discussion I have been swayed on this matter (blame @tivac) and we'll change the behavior so that the account site only prompts for authorization if there are new as-yet-unauthorized scopes requested).
from api-cdi.
darthmaim
commented on July 19, 2024
What we are trying to do is to use OAuth as authentication and not for accessing the api.
Lets say the user registers for our app using the OAuth login, authorizing our app with all permissions we need. We can now use his account id as user id and store stuff related to him in the database (not from the api, lets say comments, avatar, ...).
Then he wants to login again (possibly from a different PC), again using OAuth. He needs to authorize the app again, even though he already did so when he registered. We would use this new access token to get his account id (=user id) to get all the data about him from our database.
What we want is to ask the user once for authorization, to get access to all api endpoints we need for our app, and after that just login the user (just show the login page and instantly redirect back after successful authentication, skipping the app authorization step when the app is already authorized and the scope didn't change).
Edit: I wrote this before i read your second edit @lye, good to hear π
from api-cdi.
lye
commented on July 19, 2024
What we are trying to do is to use OAuth as authentication and not for accessing the api.
Yeah, that's basically the argument that @tivac made. Apparently our backend already has support for this, so it's not even that much work to expose it. Will try to get it out sometime soonβ’.
from api-cdi.
lye
commented on July 19, 2024
The fix for this is now deployed -- if you've previously approved a set of scopes for an application, it'll skip future authorization prompts (unless the application's permissions are revoked).
I took a page from Google's OAuth2 implementation and added a feature that lets you bypass this behavior -- if you put approval_prompt=force in your /oauth2/authorize call it will always present the user with the authorization page. This is useful for e.g., testing.
from api-cdi.
Related Issues (20)
- Include tier rewards for achievements
- /guild/:id/log Missing some treasury data
- Add `updated_at` to /worlds HOT 1
- /v2/gliders does not respect the requested language HOT 1
- "binding" is missing for equipped bags
- /v2/characters endpoint - stat selectable items sometimes missing prefixes HOT 1
- Missing bits details in (some) No Quarter achievements
- Missing home instance nodes in /v2/account/home/nodes
- Invalid Link response header from /v2/recipes/search
- New Exposure: Looking for Group
- Unknown leading one in all worlds object at wvw matches end point
- /v2/guild/:id/log: expose guild stash id for withdraw/deposit operations
- GraphQL interface as an alternative to REST for public client development. HOT 1
- Three recipes who's output item reports invalid HOT 1
- Missing items from /v2/items and /v1/item_details.json
- /v2/characters/:id/quests not showing completed quests
- Mumble link: Inconsistent AvatarPosition updates
- /v2/items/:id missing new EoD flag for Research Kit salvage
- Character equipment is incomplete with newer equipment slots
- Why skills api not show cooldown time?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from api-cdi.