[ManiaConnect][Bug?] Authorization with smaller scope

[m4rcel]

I discovered another issue regarding ManiaConnect and scopes, which I find a little bit confusing:

If you have given an authorization to a certain App, and this app requests a smaller scope, you need to re-accept the authorization.

Concrete example and reproduction:

• Create an app. Request e.g. all scopes for this app.
• Accept the authorization. The App may now access any data of the player.
• With the same app, request a smaller scope, e.g. "basic dedicated".
• You have to accept the authorization again. When accepting, the former full authorization will be replaced with the smaller scope. The App can no longer e.g. access the email, although the user had accepted to this in the second step.

I think ManiaConnect should check, if the requested scope is already a subset of the allowed one, and only request a new authorization, if there are any new scopes in it. When already having authorization to all scopes, it should not ask for "basic dedicated" anymore.

[steeffeen]

it's still not fixed

is there any chance that this will change in the future? or do you just want to keep it as it is? a simple answer to that question would help a lot as well

use-case example:
first login on a page with only basic access to identify the user but later the user could grant more access in order to use extended functions
at the moment that's not possible with only one application

regards

[magnetik]

The OAuth2 spec does not specify anything about scope changing (There is something about scope changing in token refresh, but we do not offer this feature)

I do not see any use case. Why would you aske for smaller scope if you do not want your scope to be reset ?

I've added the feature in my list, but it's not on top

use-case example:
first login on a page with only basic access to identify the user but later the user could grant more access in order to use extended functions

You can do this, the user will be asked to grant the scope you want.

[m4rcel]

Use Case:
You have a page where you request basic information. Let it be Tetris, which need the information for saving the Highscore.
On a sub page, you have a contact form, and next to the "basic" information, you want to get the "email". No problem, user has to re-validate the authentication as of bigger scope. (This re-validation is completely acceptable.)
That user, after sending the contact request, now goes back and plays another round of Tetris. Highscore requests "basic" scope, as it does not need more information. And so the user has to re-accept the authentication, although he accepted "basic email" before, and the Highscore only requested "basic".

[steeffeen]

m4arcel basically said it, it's fine that there will be another prompt for permission granting if you need a bigger scope! but it's not nice the other way around

in our case there is a website which offers most features with a basic login but there are also extended features for which you will need to grant more permissions like dedicated and buddies, after you've granted these permission and want to login again you will be asked to grant the small scope again because the login only covers the small scope
we don't want to request the big scope right from the start because some users may not want us to access their buddies and stuff BUT want to use the basic features of the website

[magnetik]

If you ask for more permissions once, you should remember the "highest" permission you asked on your side and never ask for a lower.

The change required on server side to support this is not trivial and we have other priorities at the moment.

[steeffeen]

If you ask for more permissions once, you should remember the "highest" permission you asked on your side and never ask for a lower.

we would do that but the basic login on a website for example must have a small scope because old users AND new users login over this site and we don't know yet which user is coming there

at least it's on the list

[magnetik]

I just pushed a new version and it should be working now.