Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add oauth scopes #162

Merged
merged 7 commits into from
Oct 12, 2021
Merged

Add oauth scopes #162

merged 7 commits into from
Oct 12, 2021

Conversation

JobDoesburg
Copy link
Collaborator

Closes #137

@JobDoesburg JobDoesburg mentioned this pull request Jul 5, 2021
Merged
@KiOui
Copy link
Owner

KiOui commented Jul 6, 2021

All API requests to the server now fail as we need a Token with scope, we should change this to TokenHasScopeOrLoggedIn or something like that.

@JobDoesburg JobDoesburg requested a review from KiOui July 6, 2021 07:08
@KiOui
Copy link
Owner

KiOui commented Jul 6, 2021

It might be nice to also change the documentation to use the OAUTH scopes instead of the permissions we signed in the backend. Can we only let people with baker permissions request the orders:manage scope or something like that?

@JobDoesburg
Copy link
Collaborator Author

JobDoesburg commented Jul 6, 2021
edited
Loading

It might be nice to also change the documentation to use the OAUTH scopes instead of the permissions we signed in the backend.

The permissions we require are Django permissions. It's different from OAuth scopes (although, yes, they are related). The conventions for naming them are different. For example, the app.permissions is something we cannot deviate from as this is the way Django names their permissions. The OAuth standard however requires the app:scope convention.

Can we only let people with baker permissions request the orders:manage scope or something like that?

No, at least not in a default way. As you can see, the scopes secretly are just strings, they are not really registered in any form. An API can actually request scopes that don't even exist. The only place we could check that is by overriding the OAuth authorization view, which I think is out of scope (pun unintended) for this project.

KiOui
KiOui requested changes Jul 6, 2021
View reviewed changes
website/orders/api/v1/views.py Outdated Show resolved Hide resolved
@KiOui
Copy link
Owner

KiOui commented Jul 6, 2021

I also committed a small typo change (you forgot a comment somewhere)

@KiOui KiOui merged commit 6b0f1c2 into master Oct 12, 2021
@KiOui KiOui deleted the oauth-scopes branch October 12, 2021 14:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KiOui KiOui KiOui approved these changes

Assignees

@JobDoesburg JobDoesburg

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add OAuth Scopes
2 participants
@JobDoesburg @KiOui