Skip to content

Scope checking is too strict and causes error when the number of scopes requested is reduced #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wobinb opened this issue Apr 22, 2021 · 3 comments · May be fixed by XeroAPI/xero-python-oauth2-app#47
Closed

Scope checking is too strict and causes error when the number of scopes requested is reduced #48

wobinb opened this issue Apr 22, 2021 · 3 comments · May be fixed by XeroAPI/xero-python-oauth2-app#47
Assignees
@leegough

Comments

@wobinb
Copy link

wobinb commented Apr 22, 2021

Scopes in Xero's OAuth 2.0 implementation are additive.

If the first time a connection is authorised scopes A, B and C are requested, they will always be included.

On a second authorisation for the same user, if only scopes A and B are requested, C will also be returned.

The SDK appears to then do a validation check to verify the scopes returned match the ones requested, and the process fails.

To recreate:

  1. Set the scopes to include payroll.employees and complete the authorisation process for one user.
  2. Remove the payroll.employees and repeat the authorisation process for the same user.
  3. Observe the process fails with a Scope has changed from... error
@RettBehrens
Copy link
Contributor

RettBehrens commented Apr 26, 2021
edited
Loading

Per the docs around scope:

"It's not possible to remove scopes from an existing access token. The only way to reduce consented scopes is to revoke the token and start again."

@wobinb As part of the described steps to replicate above, does the user disconnect from Xero via the connected apps dashboard or does Xero consider the app already authenticated (option is grey and continue with 1 org text present) during the second auth flow?

@wobinb
Copy link
Author

wobinb commented Dec 24, 2021

@RettBehrens in the replication steps above the app remains connected, so it would essentially be a re-authentication

Seems to still be an issue, see: #73

@wobinb wobinb mentioned this issue Dec 24, 2021
Closed
@leegough leegough linked a pull request Feb 17, 2023 that will close this issue
xero-python-oauth2-app Scope Checking Warning Flag fix XeroAPI/xero-python-oauth2-app#47
Open
@RettBehrens
Copy link
Contributor

The following solution has been identified XeroAPI/xero-python-oauth2-app#47

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@leegough leegough

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

xero-python-oauth2-app Scope Checking Warning Flag fix XeroAPI/xero-python-oauth2-app
3 participants
@wobinb @leegough @RettBehrens