Contrib.social

Provide default scopes if client is not requesting a specific scope

Open on Drupal.org →
Created on 5 March 2017, over 8 years ago
Updated 1 September 2022, about 3 years ago

Problem/Motivation

The scope argument is optional in the OAuth2 framework. Therefore the resource owner is allowed to provide a default behavior for a situation where a client is not requesting a specific scope. The current behavior is that all the Scopes configured for the client will be applied, but user roles are ignored.

Proposed resolution

  • Add all user roles by default as a scope if client does not request any scopes.
  • Document the behavior for situation where scope is not defined

Remaining tasks

User interface changes

API changes

User roles are added to scopes when client is requesting access token without providing any scopes.

Data model changes

Feature request
Status

Closed: outdated

Version

5.2

Component

Code

Created by

🇫🇮Finland lauriii Finland

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment over 1 year ago
    🇺🇸United States grasmash

    I don't understand how this can be achieved in 6.0. The goal is to dynamically assign scopes based on the user role. The ability to add default roles per consumer does not achieve assigning default roles per user -- users of different roles may use the same consumer.

  • Status changed to Needs review 6 months ago
  • Comment 6 months ago
    🇧🇪Belgium dieterholvoet Brussels

    However, we could add an event that developers can subscribe to (or a hook alter) to alter the scope negotiation behaviour on a custom module.

    I opened a new MR that does this: it adds hook_simple_oauth_scopes_alter(), allowing to alter the requested scopes.

  • Merge request !178Add hook_simple_oauth_scopes_alter() → (Open) created by dieterholvoet
  • Comment 6 months ago
    🇧🇪Belgium dieterholvoet Brussels

    dieterholvoet changed the visibility of the branch 6.0.x to hidden.

  • Comment 6 months ago
    🇧🇪Belgium dieterholvoet Brussels

    dieterholvoet changed the visibility of the branch 2857930-provide-default-scopes-6.x to hidden.

  • Comment 6 months ago
    🇧🇪Belgium dieterholvoet Brussels

    dieterholvoet changed the visibility of the branch 2857930-2857930-provide-default-scopes-6.x to hidden.

  • Comment 6 months ago
    🇧🇪Belgium dieterholvoet Brussels

    The example in simple_oauth.api.php is what users would have to add to a custom module to achieve what this issue is about.

  • Pipeline finished with Success
    6 months ago
    Total: 261s
    #452301
  • Comment 26 days ago
    🇳🇱Netherlands askibinski

    FYI: this issue becomes more important when using Dynamic Client Registration with Oauth, which I was impkementing. In such a case the authorization code grant type is used and the client does not manually select any scopes but we need default scopes to be set otherwise the request becomes invalid.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024