Oauth2orizeRecipes icon indicating copy to clipboard operation
Oauth2orizeRecipes copied to clipboard

Published 20 hours ago verified publisher icon FrankHassanabad

Client Scope & AuthCode scope undefined when working with database

Open felixfrtz opened this issue 7 years ago • 0 comments

Hey,

first of all: thanks for documenting this so detailed. I went through a few oauth examples, and this one is definitely the best one. Now to the issue I have:

I am busy connecting everything to a Database, and so far it works, except one thing: When a user authorizes a client, only an access token is sent, no refresh token. I narrowed this down to the fact that the validate.isRefreshToken() fails, because the scope is null. I am still busy trying to figure out where exactly scope becomes undefined, but here is what I have found so far:

In oauth2.js, the authorization middleware:

..
}), (req, res, next) => {
    // Render the decision dialog if the client isn't a trusted client
    // TODO:  Make a mechanism so that if this isn't a trusted client, the user can record that
    // they have consented but also make a mechanism so that if the user revokes access to any of
    // the clients then they will have to re-consent.
    db.clients.findByClientId(req.query.client_id)
    .then((client) => { ....
     // client.scope is undefined
     }

Here, the scope in the client object is undefined for me, however looking at the unmodified example which uses memory storage, it is properly defined. I tried manually defining it like such client.scope = "offline_access" but that did not do the job, it gets lost somewhere later on.

What is more likely to be the problem is here in the same file:

server.grant(oauth2orize.grant.code((client, redirectURI, user, ares, done) => {
  const code = utils.createToken({ sub : user.id, exp : config.codeToken.expiresIn });
  db.authorizationCodes.save(code, client.id, redirectURI, user.id, client.scope)
  .then(() => done(null, code))
  .catch(err => done(err));
}));

Again, client.scope is undefined here. Any idea what the connection here might be, and how this can be tackled when working with a database? Which functions passes the client object to above function?

When I use: db.authorizationCodes.save(code, client.id, redirectURI, user.id, "offline_access") it works, the refresh_token gets sent as well, but that is only a temporary solution. I though about having another column in the clients table saving the scope, however that is not a solution I would prefer.

felixfrtz avatar Nov 24 '17 10:11 felixfrtz