scope is not set in parameter "ares"

Question

scope is not set in parameter "ares"

msanguineti opened this issue 8 years ago · comments

I've implemented the authorization code grant exactly like in the given example:

server.grant(oauth2orize.grant.code(function(client, redirectURI, user, ares, done) {
    AuthorizationCode.create(client.id, redirectURI, user.id, ares.scope, function(err, code) {
        if (err) { return done(err); }
            done(null, code);
    });
}));

But the ares parameter is an object that contains only one field:

{
    allow: true
}

There's no scope

I've checked the source code and I see this in code.js:180

...
else if (arity == 5) {
    issue(txn.client, txn.req.redirectURI, txn.user, txn.res, issued);
}
...

Unfortunately, txn.res does not contain scope which is, instead, contained in txn.req.

Maurice Breit · Answer 1 · Wed Mar 08 2017 17:18:44 GMT+0800 (China Standard Time)

I had the same problem.
The example seems to be outdated. Replace
server.grant(oauth2orize.grant.code(function(client, redirectURI, user, ares, done)
with
server.grant(oauth2orize.grant.code(function(client, redirectURI, user, ares, areq, done)
Then you can access areq.scope.

Oriol · Answer 2 · Fri Jun 02 2017 23:04:16 GMT+0800 (China Standard Time)

If you're trying to let the end user modify the scope while granting the access you can't use areq. If you access the scope from areq you will be accessing the originally requested scope, not the one authorised by the end user.

In order to include the scope in the ares parameter you need to change:
app.post('/dialog/authorize/decision',
login.ensureLoggedIn(),
server.decision()
);
to
app.post('/dialog/authorize/decision',
login.ensureLoggedIn(),
server.decision(function(req, done) {
return done(null, { scope: req.body.scope }) // or req.scope
})
);

scope being an input parameter in the user approval form that contains the scope modified by the end user.