open-humans icon indicating copy to clipboard operation
open-humans copied to clipboard

Auto authorization should check requested permissions

Open madprime opened this issue 5 years ago • 0 comments

There's an "auto authorization" for django-oauth-toolkit that's convenient for projects that require a "log in via Open Humans": it can automatically skip a user authorization screen if the provider site knows the user has already authorized that app before.

However, django-oauth-toolkit only knows to check scopes – the traditional method for permission management – and it prompts a re-authorization by the user if the request has a different scope. That's a problem for us

We've actually been using auto-authorization already, but (a) it doesn't work very well because django-oauth-toolkit is expiring this when the access token expires, which is inappropriate (I raised the issue in their repo and suggested a code change), (b) when it does work, it's occurring even when a project has changed permissions.

Good news: on Open Humans we have not inadvertently automatically authorized any new permissions. It's just failing to prompt that re-authorization to happen when new permissions are requested. Also, it probably hasn't been a problem because of item (a) above – django-oauth-toolkit was kind of broken so re-authorizations were happening anyway – and also we probably haven't had many projects updating requested permissions anyway.

But if/when a fix to django-oauth-toolkit deploys to (I think appropriately) auto authorize based on an existing, valid refresh token as evidence for permission, then this issue will become more substantial. Open Humans should be avoiding auto authorization when requested permissions change.

madprime avatar Nov 05 '19 18:11 madprime