client Scope validation

Question

client Scope validation

royepel opened this issue 9 years ago · comments

royepel commented 9 years ago

Hi,

Where do i need to validate the scope requested (by the client) with scope allowed for that specific client ?

Tsuyoshi Yoshizawa · Answer 1 · Thu Dec 18 2014 20:57:34 GMT+0800 (China Standard Time)

We can validate the scope after get AuthInfo instance.
I think we have two solutions.

1 . Into DataHandler#findAuthInfoByAccessToken method

DataHandler#findAuthInfoByAccessToken method need to return AuthInfo, so you can validate after get the AuthInfo.

You need to pass a scope parameter to your DataHandler instance from HTTP request parameter.

2 . After ProtectedResource#authorize method (play2-oauth2-provider)

We can directly use ProtectedResource instance (protectedResource) on OAuth2Provider.

val f = protectedResource.handleRequest(request, new YourDataHandler()).flatMap {
  case Left(e) => throw e
  case Right(authInfo) => {
    if (authInfo.scope != scope) {
      throw new InvalidScope
    }
  }
}

You need to handle exception like below.

https://github.com/nulab/scala-oauth2-provider/blob/0.12.0/play2-oauth2-provider/src/main/scala/scalaoauth2/provider/OAuth2Provider.scala#L139-L143

Both case, you should throw InvalidScope exception if scope is invalid.

royepel · Answer 2 · Thu Dec 18 2014 23:17:10 GMT+0800 (China Standard Time)

Thank you for your quick answer.