This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

OAuth 2 tokens have duplicated scopes

Posted on 02-13-2017 04:29 PM
Not applicable
Reply posted on --/--/---- --:-- AM

If I have a developer app which has access to the products:

  • P1
    • Allowed OAuth Scopes: A, B, C
  • P2
    • Allowed OAuth Scopes: A, B

The resulting token has: 

"scope": "A B A B C"

Does that make sense? Shouldn't the values be unique (i.e., "A B C")?

(Validation still works as expected, it's just that the tokens look "funny")

This is on OPDK 4.16.09.02

0 3 167
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

I agree, it looks funny.

I'll create a bug report on that. But it looks like it's not blocking you. Also, I don't see a security risk associated to this. It seems mostly aesthetic.

Agree?

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM
@Dino

Yeah, from what I can see it's mainly aesthetics. It seems to work fine. When we saw that it looked as if something was broken, but from what I can tell the tokens are fine.

0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to
Reply posted on --/--/---- --:-- AM

BTW, Eric, you can groom the token response before delivering it to the caller, if you like.

Some people do this because the default response from an OAuthV2/GenerateAccessToken is kinda verbose, and includes information that perhaps the client does not use.

You could do the same thing to clean up the aesthetics around the scope.

basically,

Just use a JSC policy that performs a JSON.parse() of response.content, modifies the object, and then resets the response.content to the stringified version of the modified object. Something like this: 

var b1 = JSON.parse(response.content),
    propertiesToRemove = ['status', 'refresh_token_status',
                          'token_type', 'organization_name',
                          'developer.email',
                          'scope', 'refresh_count',
                          'application_name'];
if (b1.access_token) {
  propertiesToRemove.forEach(function(item){
    delete b1[item];
  });

  // keep only unique scopes 
  if (b1.scope) {  // "A A B C A B" 
    var scopes = b1.scope.split(' '); // ["A" "A" "B" "C" "A" "B"]
    b1.scope = scopes.filter( function(value, index, self) { 
      return self.indexOf(value) === index;
    });  // ["A" "B" "C"]

    // optional
    b1.scope = b1.scope.join(); // "A B C" 
  }

  // pretty-print JSON
  context.setVariable('response.content', JSON.stringify(b1, null, 2));
}
0 Likes