Problem/Motivation

Currently /oauth/authorize, used for the Implicit Grant, requires the "access content" perm. This page is visit most commonly by anon users. If anon users don’t have that "access content", a common case for sites with mainly private content, the user will receive "Access Denied" and the flow back to their app breaks down. Removing this requirement from the route should be negligible since /user is accessible by anon users as well and this is essentially just a fancy /user visit.

Proposed resolution

Remove this perm requirement from the oauth2_token_extras.authorize route.

Remaining tasks

  • Create patch

User interface changes

None

API changes

None

Data model changes

None

CommentFileSizeAuthor
#6 implicit_grant_flow-2845177-6.patch483 byteslauriii
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

infiniteluke created an issue. See original summary.

e0ipso’s picture

e0ipso
Primary language Catalan
Location Can Picafort
CreditAttribution: e0ipso as a volunteer and at Lullabot commented
Issue summary: View changes
e0ipso’s picture

e0ipso
Primary language Catalan
Location Can Picafort
CreditAttribution: e0ipso as a volunteer and at Lullabot commented

I don't feel strongly either way. Let's see if other people think about this before taking a resolution.

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
CreditAttribution: lauriii at Druid commented

We need this on one of our sites as well. It is not too bad to have a patch for this but maybe it is worth supporting this use case. If you feel concerned to remove the access control from this route, maybe we can add a new permission for this?

hampercm’s picture

hampercm CreditAttribution: hampercm as a volunteer and at Acquia commented

I think the proposed approach is reasonable.

Is there any use case where you would want to restrict access to the authorization endpoint? I'm not coming up with one, myself, but I'm not especially familiar with the Implicit Grant. If there is any such use case, then adding a new permission would be necessary.

lauriii’s picture

lauriii
he/him
Primary language Finnish
Location Finland
CreditAttribution: lauriii at Druid for Lääkärikeskus Aava Oy commented
Status: Active » Needs review
FileSize
implicit_grant_flow-2845177-6.patch483 bytes

Another reason to remove usage of this permission is that it creates undocumented dependency to Node module.

  • e0ipso committed da7da2f on 8.x-2.x authored by lauriii 
    fix(Access control): Unrestricted access to initiate the Implicit grant...
e0ipso’s picture

e0ipso
Primary language Catalan
Location Can Picafort
CreditAttribution: e0ipso as a volunteer and at Lullabot commented
Status: Needs review » Fixed

I keep going back and forth with this, but if you guys feel this is useful that settles it for me.

Thank you all!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.