Skip to content

Include the received access token's scope in the 'extra' hash #79

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 5, 2020
Merged

Include the received access token's scope in the 'extra' hash #79

merged 1 commit into from
Feb 5, 2020

Conversation

davebrace
Copy link
Contributor

According to GitHub's documentation:

The scope attribute lists scopes attached to the token that were granted
by the user. Normally, these scopes will be identical to what you
requested. However, users can edit their scopes, effectively granting
your application less access than you originally requested. Also, users
can edit token scopes after the OAuth flow is completed. You should be
aware of this possibility and adjust your application's behavior
accordingly.

Therefore, include the scope returned with the OAuth token in the
'extra' hash generated for the omniauth callback.

According to the OAuth2 gem's code, extra params returned with the
access token response can accessed via indexing on the AccessToken
class:

https://github.com/oauth-xx/oauth2/blob/58471c95c5473d9a494e45534df96f0cf935a2bb/lib/oauth2/access_token.rb#L60-L65

@davebrace
Include the received access token's scope in the 'extra' hash
1b3a35c 
According to [GitHub's
documentation](https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#requested-scopes-and-granted-scopes):

> The scope attribute lists scopes attached to the token that were granted
> by the user. Normally, these scopes will be identical to what you
> requested. However, users can edit their scopes, effectively granting
> your application less access than you originally requested. Also, users
> can edit token scopes after the OAuth flow is completed. You should be
> aware of this possibility and adjust your application's behavior
> accordingly.

Therefore, include the scope returned with the OAuth token in the
'extra' hash generated for the omniauth callback.

According to the OAuth2 gem's code, extra params returned with the
access token response can accessed via indexing on the AccessToken
class:

https://github.com/oauth-xx/oauth2/blob/58471c95c5473d9a494e45534df96f0cf935a2bb/lib/oauth2/access_token.rb#L60-L65
@davebrace davebrace force-pushed the include-token-scope-in-extra branch from 471a791 to 1b3a35c Compare January 20, 2019 20:06
@davebrace davebrace changed the title Include the received token's scope in the 'extra' hash Include the received access token's scope in the 'extra' hash Jan 20, 2019
@suprnova32 suprnova32 merged commit 6b497a8 into omniauth:master Feb 5, 2020
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@davebrace @suprnova32