Skip to content
This repository has been archived by the owner on Feb 25, 2019. It is now read-only.
This repository has been archived by the owner on Feb 25, 2019. It is now read-only.

Verifying access token scopes #25

Open
Open
Verifying access token scopes#25
@hedleysmith

Description

@hedleysmith
hedleysmith
opened on Mar 30, 2016

I've run into an issue in a few instances where an access token is not being verified by AccessToken.verify and the "Insufficient scope" error is being thrown, it's coming from this line:

https://github.com/anvilresearch/connect-nodejs/blob/master/lib/AccessToken.js#L160

I wonder if this check is too restrictive, e.g if an access token has the scope:

"openid email profile phone"

And the Anvil Connect instance is configured with the scope:

"openid profile phone email"

Equally if an access token has any additional scopes the verification will also fail.

Is this by design? Should the scope verification match the exact string, or could we explode the scopes string into components and check that the JWT scopes match on a per-scope basis? Or maybe I'm missing something about this scope verification check entirely?

Happy to provide a patch for this but wanted to check up on the motivation for this design beforehand.

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions