- Issue created by @kingdutch
The TokenUserInterface contains the following two methods:
/**
* Get the token.
*
* @return \Drupal\simple_oauth\Entity\Oauth2TokenInterface
* The provided OAuth2 token.
*/
public function getToken(): Oauth2TokenInterface;
/**
* Get the activated consumer.
*
* @return \Drupal\consumers\Entity\Consumer
* The activated consumer after authentication.
*/
public function getConsumer(): Consumer;
This couples the TokenAuthUserInterface directly to the stored token entity. This blocks stories such as
✨
Add option to not store access tokens/validate by signature
Active
or attempts to use tokens that might not have been issued by Drupal.
getToken is not used by simple_oauth itself. It is used by the GraphQL OAuth module, but only because the actual thing it wants from the token are scopes (which is a property of any token implementation).
getConsumer is used in SimpleOauthAuthenticationProvider. However, that's in a place where we already have the entity token and could've also called $token->get('client')->entity.
Replace getToken with getScopes which should return a list of scope entities that belong to this token. That is information that should always be available and allows other systems to act on them.
We should determine the requirements for other information that should be available regardless of whether a token is backed by a stored entity or not. If needed we may want to introduce a new token interface that can be implemented without the Drupal Entity API so that token information can be made available. That new interface should also be implemented by Oauth2TokenInterface.
Active
6.0
Code