- Notifications
You must be signed in to change notification settings - Fork1.6k
fix: add scopes to token hook on authorization_code#3970
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:master
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Conversation
CLAassistant commentedMar 27, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
|
| accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypeJWTBearer))|| | ||
| accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypePassword)) { | ||
| accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypePassword))|| | ||
| accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypeAuthorizationCode)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I think the reason that authorization code is left out of here is that a lot of this information is already determined when handling the authorization endpoint. I think the token endpoint should not be receiving the scope and audience parameters in the authorization code flow.
Line 1306 callsHandler.updateSessionWithRequest which should grant the scopes. If the scopes aren't available in the token hook, I think something else must be going on.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
And I hope the drive-by is welcome! I'm not a maintainer here or anything, just someone who saw your note about this PR on Slack and was curious and has spent some time recently staring at some of this code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I think what may be happening here is that fosite is supposed to handle this but it's called in two phases. First it's called to process the token request, then it's called to issue the token response. I think the token hook might be getting called in between these two phases. Moving some code between the two phases in fosite fixes the issue, I think.
I put up adraft fosite PR that seems to fix this for me, but haven't checked yet whether tests need to be updated or looked into whether there are other consequences to be aware of.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Just to explain that a little more clearly, maybe. The token endpoint handler does these things:
- Calls
fosite.OAuth2Provider.NewAccessRequest(), which calls the fosite code to handle the token request. This is just above your patch. - Runs the code around where you've patched here, to handle some things that fosite does not.
- Calls all the hooks returned from
Registry.AccessTokenHooks(), just below the code in your patch. That's where the token hook gets called. - Calls
fosite.OAuth2Provider.NewAccessResponse(), which calls the fosite code to generate a response.
So, I think my patch in fosite is moving the code that reads the granted scope and audience, already set and persisted by the consent flow, and updates the token request. It moves this from step 4 to step 1 so that it's visible in the token hook in step 3.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I think you are on to something!
I'll keep this PR in draft until we have a resolution from your's as well if you don't mind
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
That sounds like the right move!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Hello, this definitely is not correct. This code part is only for machine interaction. User interaction has to be done differently.
| accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypeJWTBearer))|| | ||
| accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypePassword)) { | ||
| accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypePassword))|| | ||
| accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypeAuthorizationCode)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Hello, this definitely is not correct. This code part is only for machine interaction. User interaction has to be done differently.
Uh oh!
There was an error while loading.Please reload this page.
Related issue(s)
#3969#3891#3969
Adding
authorization_codeto conditional of adding scopes to the requests for the token hookChecklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
Further Comments