Contrib.social

'user_access' OAuth2 scope not handled

Open on Drupal.org β†’
Created on 21 January 2022, almost 3 years ago
Updated 30 October 2023, about 1 year ago

Problem/Motivation

The current implementation of `FarmScopeRepository` in conjunction with the Consumer entities - as described in https://www.drupal.org/project/farm/issues/3167752 β†’ - appears to allow for OAuth clients to request a token either with "user access" by passing the empty string for the scope or a token that is limited to a specific set of roles by passing the names of those roles - e.g. "farm_manager" - as the scope.

It doesn't appear to allow a token to be requested with the "user_access" scope as the docs seem to indicate;

I think it is a useful feature to support what the docs indicate since it means that an OAuth2 client could work the same against farmOS 1.x and 2.x as far as authentication goes, then once authenticated could check `/farm.json` and `/api` to see what version of farmOS it is talking to.

Steps to reproduce

Create a OAuth2 consumer called "farmos_development" and follow the "Authorization Code Grant" flow verbatim: https://github.com/farmOS/farmOS/blame/5f49e10f2afbf518ebf13ab400af0c9ac...

Proposed resolution

`FarmScopeRepository` should be updated to accept the `user_access` scope which will be handled the same as though all the users current roles were specified.

I'm happy to create/send a PR to that effect if we agree that's the right course of action.

Remaining tasks

TBD

User interface changes

N/A

API changes

N/A

Data model changes

N/A

πŸ› Bug report
Status

Closed: won't fix

Version

3.0

Component

API

Created by

symbioquine

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States m.stenta

    Bumping this to 3.x - but it may need to be updated/closed if the Simple OAuth v6 upgrade affects it.

  • Status changed to Closed: won't fix about 1 year ago
  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States paul121 Spokane, WA

    I should note that those tools and scripts won't support both farmOS 1.x and 2.x long term,

    ... and now 3.x and Simple OAuth v6 is in the mix. In v6 consumers can no-longer automatically grant "user access" to a token. This is because all scopes must now be created separate of roles, either as an OAuth2 Scope config entity, or be defined in a static scopes file. There is no guarantee that scopes have been created for each role that exists in the system (although I think this would be a nice convenience thing for simple OAuth to offer).

    Ultimately I think it is a good that API integrations be more specific in requesting which scopes they require and not blanket granting all user access. This will require some work in the short term for existing apps/integrations to upgrade and make sure the relevant scopes exist on the server(s) they are connecting to. But in the long term this new implementation of OAuth2 scopes should make things easier because we can provide a default set of scopes that are based on permissions instead of roles, and applications can be more confident that these general purpose scopes they are requesting will exist (eg: "asset:view", "asset:create")

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024