diff options
| author | Juha Vuolle <juha.vuolle@qt.io> | 2024-07-23 12:13:57 +0300 |
|---|---|---|
| committer | Juha Vuolle <juha.vuolle@qt.io> | 2024-08-08 07:19:13 +0300 |
| commit | d867b77770c09c9b6a970edcbd8041cff6b64e4a (patch) | |
| tree | eac74c5e97bb0c3eb273362138aeb139e045f14a /src/oauth/qoauth2authorizationcodeflow.cpp | |
| parent | a2b97ad6147452141c5940670737176202138d01 (diff) | |
Don't clear QAbstractOAuth2::scope upon empty server response
The implementation set the 'scope' unconditionally to scopes
the authorization server returned in access token response.
The returned and requested scopes can differ, and a server might
also omit the 'scope' altogether, causing the Qt classes 'scope'
to be just cleared.
The scope behavior is specified by OAuth2 RFC 6749, chapter 5.1.
Returning differing and empty scopes is common and acceptable.
In case of empty scope, we can assume that the server granted
the scope that was requested.
Furthermore amend the 'scope' property documentation to reflect
these two roles it serves. In a later Qt version we should
introduce two new properties which clearly separate these roles.
[ChangeLog][QAbstractOAuth2][Important Behavior Changes]
If the authorization server returns an empty 'scope' response,
the requested scope is not cleared anymore. Instead, it is
assumed that the requested 'scope' was granted.
Pick-to: 6.8 6.7 6.5
Fixes: QTBUG-66415
Change-Id: I0685507c3ac7633fcf1d177958ba45ec6fd87bd2
Reviewed-by: Ivan Solovev <ivan.solovev@qt.io>
Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
Diffstat (limited to 'src/oauth/qoauth2authorizationcodeflow.cpp')
| -rw-r--r-- | src/oauth/qoauth2authorizationcodeflow.cpp | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/src/oauth/qoauth2authorizationcodeflow.cpp b/src/oauth/qoauth2authorizationcodeflow.cpp index 3951546..2c5fd76 100644 --- a/src/oauth/qoauth2authorizationcodeflow.cpp +++ b/src/oauth/qoauth2authorizationcodeflow.cpp @@ -134,7 +134,7 @@ void QOAuth2AuthorizationCodeFlowPrivate::_q_accessTokenRequestFinished(const QV expiresIn = -1; if (values.value(Key::refreshToken).isValid()) q->setRefreshToken(values.value(Key::refreshToken).toString()); - scope = values.value(Key::scope).toString(); + if (accessToken.isEmpty()) { _q_accessTokenRequestFailed(QAbstractOAuth::Error::OAuthTokenNotFoundError, "Access token not received"_L1); @@ -142,6 +142,14 @@ void QOAuth2AuthorizationCodeFlowPrivate::_q_accessTokenRequestFinished(const QV } q->setToken(accessToken); + // RFC 6749 section 5.1 https://datatracker.ietf.org/doc/html/rfc6749#section-5.1 + // If the requested scope and granted scopes differ, server is REQUIRED to return + // the scope. If OTOH the scopes match, the server MAY omit the scope in the response, + // in which case we assume that the granted scope matches the requested scope. + const QString scope = values.value(Key::scope).toString(); + if (!scope.isEmpty()) + q->setScope(scope); + const QDateTime currentDateTime = QDateTime::currentDateTime(); if (expiresIn > 0 && currentDateTime.secsTo(expiresAt) != expiresIn) { expiresAt = currentDateTime.addSecs(expiresIn); |