I was wondering about wrongly generated access tokens and realized that my user didn't have permissions at all. This could be checked via the /oauth/debug endpoint.

In order to fix that behavior we should add the locked user roles (anonymous, authenticated

CommentFileSizeAuthor
#3 simple_oauth-3027558-default-scopes-3.patch1.23 KByannickoo

Comments

yannickoo created an issue. See original summary.

yannickoo’s picture

yannickoo
Location Berlin
commented
Issue summary: View changes
yannickoo’s picture

yannickoo
Location Berlin
commented
Status: Active » Needs review
StatusFileSize
new simple_oauth-3027558-default-scopes-3.patch1.23 KB
bradjones1’s picture

bradjones1
Primary language English
commented
Status: Needs review » Closed (won't fix)
Related issues: +#3077125: Consumers should not be able to grant roles beyond those already assigned to user

I'm going to mark this as won't fix, as scopes are designed to allow for fine-grained control of the scope of the tokens issued for the consumer in question. Might also be worth seeing the discussion on the related issue.

bradjones1’s picture

bradjones1
Primary language English
commented
Status: Closed (won't fix) » Closed (outdated)

Additional note, the authenticated scope is always added; anonymous doesn't apply.