open-humans
open-humans copied to clipboard
Auto authorization should check requested permissions
There's an "auto authorization" for django-oauth-toolkit
that's convenient for projects that require a "log in via Open Humans": it can automatically skip a user authorization screen if the provider site knows the user has already authorized that app before.
However, django-oauth-toolkit
only knows to check scopes – the traditional method for permission management – and it prompts a re-authorization by the user if the request has a different scope. That's a problem for us
We've actually been using auto-authorization already, but (a) it doesn't work very well because django-oauth-toolkit
is expiring this when the access token expires, which is inappropriate (I raised the issue in their repo and suggested a code change), (b) when it does work, it's occurring even when a project has changed permissions.
Good news: on Open Humans we have not inadvertently automatically authorized any new permissions. It's just failing to prompt that re-authorization to happen when new permissions are requested. Also, it probably hasn't been a problem because of item (a) above – django-oauth-toolkit
was kind of broken so re-authorizations were happening anyway – and also we probably haven't had many projects updating requested permissions anyway.
But if/when a fix to django-oauth-toolkit
deploys to (I think appropriately) auto authorize based on an existing, valid refresh token as evidence for permission, then this issue will become more substantial. Open Humans should be avoiding auto authorization when requested permissions change.