Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

scopes as array now throw Exception in getQueryStringParameter() #1469

Closed
joelharkes opened this issue Jan 15, 2025 · 3 comments
Closed

scopes as array now throw Exception in getQueryStringParameter() #1469

joelharkes opened this issue Jan 15, 2025 · 3 comments

Comments

@joelharkes
Copy link

joelharkes commented Jan 15, 2025
edited
Loading

The function \League\OAuth2\Server\Grant\AbstractGrant::validateScopes() allows an array of strings as input.
Yet when it retrieves it from the OauthRequest via getQueryStringParameter() it does only allow scalar types and thus will fail:

image

Whereas in older versions returning/setting scopes as an array ["scope1","scope2"] was allowed.

Now the source code is very confusing because on one hand it expects it can be an array, but on the other it doesn't allow an array 🤷.

sidenote: only \League\OAuth2\Server\Grant\AuthCodeGrant::respondToAccessTokenRequest() seems to allow scopes as array, all other references get the scope from query string and thus would fail.

At least version 8.2.4 still allowed using strings.
@eugene-borovov
Copy link
Contributor

3.3. Access Token Scope

The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings

@Sephster
Copy link
Member

Hi @joelharkes - looking at this, I think it is just an oversight of mine where I didn't notice that validateScopes is no longer provided an array in the library. It probably should have been removed. It looks like removing this doesn't affect the code at all but is a breaking change so should probably be left as is for now. Apologies for any confusion caused there.

If there is some wider implication of this change I'm not aware of, like causing a bug or something, please could you let me know and we can look at fixing this. Thank you

keulinho added a commit to shopware/acceptance-test-suite that referenced this issue Jan 24, 2025
@keulinho
Use string as scope
dcddd9c 
Using a list of scopes was not spec compliant: thephpleague/oauth2-server#1469

With an update of our oauth lib this is no longer supported, leading to fails in the ATS: shopware/shopware#5986
This was referenced Jan 24, 2025
Closed
Merged
keulinho added a commit to shopware/acceptance-test-suite that referenced this issue Jan 24, 2025
@keulinho
fix: Use string as oauth scope as it is spec compliant
b7aae53 
Using a list of scopes was not spec compliant: thephpleague/oauth2-server#1469

With an update of our oauth lib this is no longer supported, leading to fails in the ATS: shopware/shopware#5986
@Sephster
Copy link
Member

I've had a further look at this and I think this is working as intended. We need to keep the array input because, as you noted, when we encode the scopes in the authcode we encode them as an array and we can pass this entity to this function for easy checking.

As @eugene-borovov has noted, the scope parameter being passed via the query params should always be a string that is comma separated so it makes sense we don't allow array notation via this route. I don't think there is anything to do here now so will mark this as closed but if I've missed something please do flag it to me @joelharkes and I'll be happy to take another look. Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@eugene-borovov @Sephster @joelharkes