[ManiaConnect][Bug?] Authorization with smaller scope

Maniaplanet public API, ManiaConnect system and the open source PHP SDK.

Moderator: NADEO

Post Reply
User avatar
m4rcel
Posts: 653
Joined: 15 Jun 2010, 11:12
Contact:

[ManiaConnect][Bug?] Authorization with smaller scope

Post by m4rcel » 20 Oct 2012, 20:39

I discovered another issue regarding ManiaConnect and scopes, which I find a little bit confusing:

If you have given an authorization to a certain App, and this app requests a smaller scope, you need to re-accept the authorization.

Concrete example and reproduction:
  • Create an app. Request e.g. all scopes for this app.
  • Accept the authorization. The App may now access any data of the player.
  • With the same app, request a smaller scope, e.g. "basic dedicated".
  • You have to accept the authorization again. When accepting, the former full authorization will be replaced with the smaller scope. The App can no longer e.g. access the email, although the user had accepted to this in the second step.
I think ManiaConnect should check, if the requested scope is already a subset of the allowed one, and only request a new authorization, if there are any new scopes in it. When already having authorization to all scopes, it should not ask for "basic dedicated" anymore.
ImageImage
Image

User avatar
steeffeen
Translator
Translator
Posts: 2472
Joined: 14 Oct 2012, 16:22
Location: Germany

Re: [ManiaConnect][Bug?] Authorization with smaller scope

Post by steeffeen » 13 May 2013, 13:49

it's still not fixed :(

is there any chance that this will change in the future? or do you just want to keep it as it is? a simple answer to that question would help a lot as well :D

use-case example:
first login on a page with only basic access to identify the user but later the user could grant more access in order to use extended functions
at the moment that's not possible with only one application

regards
    Game Mode and Title Pack Creator, Developer, ShootMania-Player & more

    ManiaControl, FancyManiaLinks

    User avatar
    magnetik
    Nadeo
    Nadeo
    Posts: 1670
    Joined: 01 Feb 2012, 19:13
    Location: Bordeaux
    Contact:

    Re: [ManiaConnect][Bug?] Authorization with smaller scope

    Post by magnetik » 13 May 2013, 16:38

    The OAuth2 spec does not specify anything about scope changing (There is something about scope changing in token refresh, but we do not offer this feature)

    I do not see any use case. Why would you aske for smaller scope if you do not want your scope to be reset ?

    I've added the feature in my list, but it's not on top :D
    steeffeen wrote: use-case example:
    first login on a page with only basic access to identify the user but later the user could grant more access in order to use extended functions
    You can do this, the user will be asked to grant the scope you want.
    ManiaPlanet technical documentation portal (Dedicated, ManiaLink, ManiaScript, Titles...) -- contribute!

    User avatar
    m4rcel
    Posts: 653
    Joined: 15 Jun 2010, 11:12
    Contact:

    Re: [ManiaConnect][Bug?] Authorization with smaller scope

    Post by m4rcel » 13 May 2013, 16:54

    Use Case:
    You have a page where you request basic information. Let it be Tetris, which need the information for saving the Highscore.
    On a sub page, you have a contact form, and next to the "basic" information, you want to get the "email". No problem, user has to re-validate the authentication as of bigger scope. (This re-validation is completely acceptable.)
    That user, after sending the contact request, now goes back and plays another round of Tetris. Highscore requests "basic" scope, as it does not need more information. And so the user has to re-accept the authentication, although he accepted "basic email" before, and the Highscore only requested "basic".
    ImageImage
    Image

    User avatar
    steeffeen
    Translator
    Translator
    Posts: 2472
    Joined: 14 Oct 2012, 16:22
    Location: Germany

    Re: [ManiaConnect][Bug?] Authorization with smaller scope

    Post by steeffeen » 13 May 2013, 17:25

    m4arcel basically said it, it's fine that there will be another prompt for permission granting if you need a bigger scope! but it's not nice the other way around

    in our case there is a website which offers most features with a basic login but there are also extended features for which you will need to grant more permissions like dedicated and buddies, after you've granted these permission and want to login again you will be asked to grant the small scope again because the login only covers the small scope
    we don't want to request the big scope right from the start because some users may not want us to access their buddies and stuff BUT want to use the basic features of the website
      Game Mode and Title Pack Creator, Developer, ShootMania-Player & more

      ManiaControl, FancyManiaLinks

      User avatar
      magnetik
      Nadeo
      Nadeo
      Posts: 1670
      Joined: 01 Feb 2012, 19:13
      Location: Bordeaux
      Contact:

      Re: [ManiaConnect][Bug?] Authorization with smaller scope

      Post by magnetik » 20 May 2013, 09:45

      If you ask for more permissions once, you should remember the "highest" permission you asked on your side and never ask for a lower.

      The change required on server side to support this is not trivial and we have other priorities at the moment.
      ManiaPlanet technical documentation portal (Dedicated, ManiaLink, ManiaScript, Titles...) -- contribute!

      User avatar
      steeffeen
      Translator
      Translator
      Posts: 2472
      Joined: 14 Oct 2012, 16:22
      Location: Germany

      Re: [ManiaConnect][Bug?] Authorization with smaller scope

      Post by steeffeen » 20 May 2013, 10:17

      magnetik wrote:If you ask for more permissions once, you should remember the "highest" permission you asked on your side and never ask for a lower.
      we would do that but the basic login on a website for example must have a small scope because old users AND new users login over this site and we don't know yet which user is coming there ;)

      at least it's on the list :)
        Game Mode and Title Pack Creator, Developer, ShootMania-Player & more

        ManiaControl, FancyManiaLinks

        User avatar
        magnetik
        Nadeo
        Nadeo
        Posts: 1670
        Joined: 01 Feb 2012, 19:13
        Location: Bordeaux
        Contact:

        Re: [ManiaConnect][Bug?] Authorization with smaller scope

        Post by magnetik » 21 May 2013, 10:33

        I just pushed a new version and it should be working now.
        ManiaPlanet technical documentation portal (Dedicated, ManiaLink, ManiaScript, Titles...) -- contribute!

        Post Reply

        Return to “Maniaplanet Web Services”

        Who is online

        Users browsing this forum: No registered users and 2 guests