Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add required scopes to token and renewAuth requests #654

Merged
merged 2 commits into from
May 3, 2023
Merged

Add required scopes to token and renewAuth requests #654

merged 2 commits into from
May 3, 2023

Conversation

poovamraj
Copy link
Contributor

Changes

We have added required scope to renewAuth and token requests in AuthenticationAPIClient. Up until now these methods wouldn't have worked without adding scope "openid" to the request. This didn't have effect on internal usage as we always added the default scopes. But usage outside through the API client will fail always until the scope is added.

References

#648

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. Since this library has unit testing, tests should be added for new functionality and existing tests should complete without errors.

  • This change adds unit test coverage

  • This change adds integration test coverage

  • This change has been tested on the latest version of the platform/language or why not

@poovamraj poovamraj requested a review from a team as a code owner May 2, 2023 11:47
Widcket
Widcket reviewed May 3, 2023
View reviewed changes
auth0/src/main/java/com/auth0/android/authentication/ParameterBuilder.kt
@JvmStatic
public fun newBuilderWithRequiredScope(): ParameterBuilder {
return newBuilder()
.setScope(OidcUtils.REQUIRED_SCOPE)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the developer is already adding the openid scope, will this result in it being duplicated?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you see the setScope method, it will use includeRequiredScope which avoids repetition as you mentioned. There are existing internal mechanisms to avoid this.

@poovamraj poovamraj requested a review from Widcket May 3, 2023 15:02
@poovamraj poovamraj merged commit 96f3263 into main May 3, 2023
3 checks passed
@poovamraj poovamraj deleted the support-token-and-renew-auth-request branch May 3, 2023 16:11
@poovamraj poovamraj mentioned this pull request May 5, 2023
Merged
@d4rken
Copy link

d4rken commented Jul 17, 2023

@poovamraj

This change caused unexpected behavior in our app.

Previously we specified openid profile email offline_access during login, When the accessToken expired and we refreshed, we do so with scope specified as null. According to docs this means that the previous scope is kept (scope specified during our login).

When using getCredentials and renewing the accessToken:

Before this change newBuilder is used for renew, it uses an empty parameter map, no scope is specified in the request, so the request doesn't contain a scope parameter and the server returns the previous scope.

With this change the newBuilderWithRequiredScope function is used and a default scope of openid is used, scope is no longer null and the server returns a new token with the scope openid and it's no longer the old scope.

Is this intended or a bug?

@poovamraj
Copy link
Contributor Author

@d4rken The code that checks if the scope has changed uses the value provided in the getCredentials so it will still work as mentioned in the documentation. You can see the code here and here.

@d4rken
Copy link

d4rken commented Jul 17, 2023
edited
Loading

I compared 2.7.0 against 2.9.3 in the debugger.

            if (scope != null) {
                request.addParameter("scope", scope)
            }

This re-adds the scope if one was specified in getCredentials(scope = ... but if none is specified? 🤔 Previously it used storedScope, but now it uses the scope from the new default request constructor?

@poovamraj
Copy link
Contributor Author

@d4rken I agree, we have to revert this commit. We will cut a release soon (today or tomorrow)

poovamraj added a commit that referenced this pull request Jul 17, 2023
@poovamraj
Revert changes from #654. Fix renew Credentials logic
bddb662
@poovamraj poovamraj mentioned this pull request Jul 17, 2023
Merged
3 tasks
@poovamraj
Copy link
Contributor Author

poovamraj commented Jul 17, 2023
edited
Loading

@d4rken you can see that it is reverted here - #670. This will ensure the scopes are empty if they are not set unlike adding openid to it.

@d4rken
Copy link

d4rken commented Jul 17, 2023

Thanks for the quick response.

poovamraj added a commit that referenced this pull request Jul 17, 2023
@poovamraj
Revert changes from #654. Fix renew Credentials logic (#670)
f90820e
@poovamraj poovamraj mentioned this pull request Jul 18, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Widcket Widcket Widcket approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@poovamraj @d4rken @Widcket