Comments (10)
But the RFC states that it will be transmitted with the authorization callback.
Where in the RFC does it state that? This crate only implements the Authorization Code Grant, which does require scope
to be specified in the token response if it differs from the requested scope
.
from rocket_oauth2.
In https://tools.ietf.org/html/rfc6749#section-3.3 it states:
"The authorization and token endpoints allow the client to specify the
scope of the access request using the "scope" request parameter. In
turn, the authorization server uses the "scope" response parameter to
inform the client of the scope of the access token issued.
"
So only if you send a scope parameter the endpoints will answer with scope. The code only sends scope to the authorization endpoint, not to the token endpoint. So it only gets it back for authorization.
And this all makes sense to me. The user selects scope during authorization. He is not involved in token exchange. So we need to check scope after authorization.
from rocket_oauth2.
I am not seeing where my implementation differs from the Authorization Code grant:
4.1.1. Authorization Request (rocket_oauth2
produces a redirect to authorization_uri()
, including client_id, redirect_uri, and scope)
4.1.2. Authorization Response (the authentication server produces a redirect to the redirect_uri
with code and state)
4.1.3. Access Token Request (rocket_oauth2
calls exchange_code()
, passing code, state, and redirect_uri to the server)
4.1.4. Access Token Response (the server returns the fields in TokenResponse
).
If you have example code that should be receiving a scope
but isn't, that would be helpful.
from rocket_oauth2.
Look at the pull request I created. It implements the first option.
Your code does not parse the scope response from the auth callback and by that looses the information. When I request authorization from strava scope was always None with your code. With the proposed change it is filled with the user selected scope.
from rocket_oauth2.
Here is my oauth code:
`use rocket_oauth2::{Callback, OAuth2, OAuthConfig, TokenResponse};
use rocket_oauth2::hyper_sync_rustls_adapter::HyperSyncRustlsAdapter;
use rocket::response::Redirect;
use rocket::;
use rocket::http::;
use super::Config;
use reqwest::Url;
use crate::*;
// use super::error::ResultExt;
// use super::error::Result as MyResult;
fn callback(request: &Request, token: TokenResponse)
-> Result<Redirect, Box>
{
info!("got token {:?}", token);
if let Some(athlete) = token.extras.get("athlete") {
info!("got athlete {} {}, with id {}", athlete["firstname"], athlete["lastname"], athlete["id"])
};
let mut cookies = request.guard::<Cookies>().expect("request cookies");
// Set a private cookie with the access token
cookies.add_private(
Cookie::build("token", token.access_token)
.same_site(SameSite::Lax)
.finish()
);
Ok(Redirect::to("/"))
}
pub fn init_auth () -> impl rocket::fairing::Fairing {
let provider = rocket_oauth2::Provider {
auth_uri: "https://www.strava.com/oauth/authorize".into(),
token_uri: "https://www.strava.com/oauth/token".into()
};
let config = OAuthConfig::new(provider,
std::env::var("CLIENT_ID").expect("Couldn't read var CLIENT_ID"),
std::env::var("CLIENT_SECRET").expect("Couldn't read var CLIENT_SECRET"),
"http://localhost:8001/token".into());
OAuth2::custom(HyperSyncRustlsAdapter, callback, config, "/token", Some(("/login", vec!["activity:read_all".to_string()])))
}
`
from rocket_oauth2.
After reading https://developers.strava.com/docs/authentication/ I can only conclude that Strava is either not compliant with the RFC or is not actually using the Authorization Code Grant. They do specify that they send scope
in the authorization callback and not in the token response, which is not to spec.
https://tools.ietf.org/html/rfc6749#section-4.1.2 clearly lists only code
and state
as valid authorization callback parameters, and also says:
The client MUST ignore unrecognized response parameters.
I don't like the idea of adding lots of workarounds for noncompliant authentication servers, but unfortunately it seems necessary. I will think about the best way to include this change.
from rocket_oauth2.
But it is in sync with section 3.3.
The RFC seems to be written ambiguously
from rocket_oauth2.
I added a commit to only use the auth callback's scope if the token exchange did not return one.
from rocket_oauth2.
But it is in sync with section 3.3.
The RFC seems to be written ambiguously
I don't see any ambiguity. Section 3.3 only says "the authorization server uses the "scope" response parameter" but does not specify where the response parameter appears. 4.1.4. specifies that it is part of the token response.
Nonetheless, I am going to accept an "early" scope in the auth callback if it is not provided in the token response.
from rocket_oauth2.
0.1.0 is now available, including a fix for this issue.
from rocket_oauth2.
Related Issues (20)
- Feature: Make redirect_uri optional HOT 6
- Docs: Add example with Custom Provider HOT 1
- Allow extending of authorization endpoint parameters.
- Callback fails to run if request parameters are in the wrong order HOT 4
- Verify token validity HOT 6
- Reddit configuration not actually working HOT 5
- Support revoking tokens
- ##Question: Other OAuth2 Providers? HOT 2
- Plans for Rocket v0.5 HOT 4
- Handle 400 errors from the authorization server HOT 3
- How do we use rocket_oauth2 for Facebook? HOT 1
- What's the difference between rocket_oauth2 and the OAuth2 crate? HOT 1
- Do not check token-type. HOT 1
- Cookie `rocket_oauth2_state` with `secure` flag HOT 2
- Cookies in rocket_oauth2 v0.4.1 not working for rocket v0.5.0-rc.2 HOT 1
- Multiple redirect URIs? HOT 1
- Update to support rocket =0.5.0-rc.4 HOT 1
- How secure is this? HOT 1
- Custom providers, using issuer URL HOT 8
- DeserializationError when using Twitch as a provider. HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rocket_oauth2.