Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
Currently /oauth/authorize, used for the Implicit Grant, requires the "access content" perm. This page is visit most commonly by anon users. If anon users don’t have that "access content", a common case for sites with mainly private content, the user will receive "Access Denied" and the flow back to their app breaks down. Removing this requirement from the route should be negligible since /user is accessible by anon users as well and this is essentially just a fancy /user visit.
Proposed resolution
Remove this perm requirement from the oauth2_token_extras.authorize route.
Remaining tasks
- Create patch
User interface changes
None
API changes
None
Data model changes
None
Comment | File | Size | Author |
---|---|---|---|
#6 | implicit_grant_flow-2845177-6.patch | 483 bytes | lauriii |
|
Comments
Comment #2
e0ipsoComment #3
e0ipsoI don't feel strongly either way. Let's see if other people think about this before taking a resolution.
Comment #4
lauriiiWe need this on one of our sites as well. It is not too bad to have a patch for this but maybe it is worth supporting this use case. If you feel concerned to remove the access control from this route, maybe we can add a new permission for this?
Comment #5
hampercm CreditAttribution: hampercm as a volunteer and at Acquia commentedI think the proposed approach is reasonable.
Is there any use case where you would want to restrict access to the authorization endpoint? I'm not coming up with one, myself, but I'm not especially familiar with the Implicit Grant. If there is any such use case, then adding a new permission would be necessary.
Comment #6
lauriiiAnother reason to remove usage of this permission is that it creates undocumented dependency to Node module.
Comment #8
e0ipsoI keep going back and forth with this, but if you guys feel this is useful that settles it for me.
Thank you all!