Doorkeeper: Wrong information on default scopes in the Wiki ?

Created on 27 Sep 2020  路  6Comments  路  Source: doorkeeper-gem/doorkeeper

There is a note in the Wiki on Using Scopes, under doorkeeper-scopes (note added by @toupeira on Mar 5, 2018) that reads, about tokens with an empty scopes:

if you then add another default scope at a later date, previously issued tokens will automatically grant access to this scope as well.

I tried tokens with an empty string or NULL as scopes, but neither worked.

I then found #1399, where @nbulaj wrote more recently (Apr 17, 2020):

Adding default_scopes invalidates all existing token

This is actually an expected behavior.

I checked the migration documentation, but found no mention of a default_scopes behavior change that could explain this contradiction.

Did I miss something, and is there indeed a way to get tokens with an empty scope to grant access to the default_scopes, as stated in the Wiki?

If there was a change in behavior, can this be clarified in the wiki? For example (this is just a guess, I am not sure about the actual internal behavior):

In versions pre x.x, when no scope was requested, tokens were created with an empty scope, and these tokens were always granting the current default scopes. After x.x, when no scope is requested, tokens are created with the current default scopes. Updates (*) to the default scopes configuration will therefore invalidate these tokens.

(*: or should this be "Additions" ? I am guessing removing should be OK, since the pre-existing tokens grant more scopes that the default now requires.)

If in doubt about the behavior change, and the current behavior is indeed that tokens with an empty scope do NOT grant the default_scopes, then the note is outdated (at best, not sure if it was ever correct) and should be removed.

Most helpful comment

@nbulaj thanks! :+1:

I removed the note now in https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes/_compare/52a4126e162d3386534e9e8c2296bd10b2bb8440, so this issue can be closed.

All 6 comments

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If it was code I would fork the project and submit a documentation fix, but I am not sure how to proceed with Wiki updates.

Also, it is still unclear if the behavior mentioned was ever correct. @nbulaj or @toupeira, would you care to comment?

@yemartin hey there, sorry for the late response! :see_no_evil:

I think you're right, I don't have a good setup to quickly test this, but looking through the specs I found https://github.com/doorkeeper-gem/doorkeeper/blob/b95bd02d18441f254abfb10fb6eb8124a3e74f9c/spec/requests/flows/authorization_code_spec.rb#L462-L467 which has an authorization request without a scopes parameter, and then the access token in the DB has the default scopes.

It looks like this spec has been there since 2012, so I think the most likely explanation is that this was a misunderstanding on my part in 2018, and we can just delete that comment in the wiki :sweat_smile:

If you or @nbulaj don't have any objections I'll go ahead and do that!

No objections @toupeira :handshake:

@nbulaj thanks! :+1:

I removed the note now in https://github.com/doorkeeper-gem/doorkeeper/wiki/Using-Scopes/_compare/52a4126e162d3386534e9e8c2296bd10b2bb8440, so this issue can be closed.

Thank you @toupeira for the clarification through the specs, and for the wiki fix!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

iangreenleaf picture iangreenleaf  路  4Comments

yongwoon picture yongwoon  路  3Comments

edwinv picture edwinv  路  6Comments

rasheedhamdawi picture rasheedhamdawi  路  4Comments

reinvanimschoot picture reinvanimschoot  路  5Comments