yii2-oauth2-server icon indicating copy to clipboard operation
yii2-oauth2-server copied to clipboard

Published 20 hours ago verified publisher icon borodulin

How to implement scope?

Open thanhnambkhn opened this issue 7 years ago • 7 comments

Hi Borodulin, How to implement scope in client config? I do not see it in the document. Could you explain it for me, such as when scope is "email username .."

thanhnambkhn avatar Nov 03 '17 06:11 thanhnambkhn

oh,man. I have the same requirement. my application need a user confirmation page to determine access scope.

XanaduNWH avatar Mar 29 '18 02:03 XanaduNWH

Unless I am mistaken about the way the whole oauth2 works, you have to extend the AuthorizeFilter and overwrite the afterAction method to fit your goals (don't let it finishAuthorization() imediatelly after login). That's what I am doing at least. Auth2 rookie here so take my advice with some grain of salt.

gerysk avatar Mar 30 '18 11:03 gerysk

Hi doomprophet, Nice to hear that, could you provide your code which was extended at "AuthorizeFilter" and afterAction method?

thanhnambkhn avatar Apr 02 '18 01:04 thanhnambkhn 

public function getScopes() {
        $responseType = $this->getResponseType();
//New model/table Oauth2UserScopes
        $userscopes = Oauth2UserScopes::findOne(['user_id' => Yii::$app->user->getId(), 'client_id' => 
     $responseType->client_id]);
        if (!$userscopes) {
            $userscopes = new Oauth2UserScopes(['user_id' => Yii::$app->user->getId(), 'client_id' => 
       $responseType->client_id]);
            $userscopes->save();
        }

       return [$userscopes, $responseType];
}
public function afterAction($action, $result) {
        if (!Yii::$app->user->isGuest) {
            list($userscopes, $responseType) = $this->getScopes();

            $approvedScopes = explode(' ', trim($userscopes->approved_scopes));
            $rejectedScopes = explode(' ', trim($userscopes->rejected_scopes));

            $requestedScopes = explode(' ', trim($responseType->scope));

            $missingscopes = array_diff($requestedScopes, $approvedScopes, $rejectedScopes);
            
            if (count($missingscopes) == 0) {
                $responseType->scope = trim(implode(' ', array_intersect($approvedScopes, 
 $requestedScopes)));
                $this->finishAuthorization();
            }
        }
        return $result;
}

This will not allow the redirection untill the requested scopes have all been approved or rejected by the user. The logic behind that is all up to you (take care with empty scopes, might cause some hickups). Since getResponseType() is protected and you can't use it from the controller, I made the public getScopes() to also include that. WARNING: This is my first attempt and so don't expect it to be perfect or even good. There might be far better approaches I am unaware of.

gerysk avatar Apr 02 '18 06:04 gerysk

Thank doomprophet (y)

thanhnambkhn avatar Apr 02 '18 07:04 thanhnambkhn

Other question doomprophet , Have you implemented other grant types such as implicit token, client credentials, owner resources Resource owner, JWT supported etc...?

thanhnambkhn avatar Apr 02 '18 07:04 thanhnambkhn

Nope, thats it. Not planning to use other grant types for the time being. (also don't know how)

gerysk avatar Apr 02 '18 07:04 gerysk