Once a refresh token is used, a new one is emitted to replace it. For now, it is not possible to get less scopes than the ones initially requested. The 'scope' parameter is not taken into account. To test (if app force the usage of PKCE you need to add the required parameters to the following instructions): 1. In the project admin create an OAuth2 app (note the ID and the given secret) 2. Access the authorize page at the URL https://tuleap.example.com/oauth2/authorize?client_id=<client_id>&scope=offline_access&response_type=code&redirect_uri=<redirect_uri> 3. Quickly retrieve (it is valid only 1 minute) the authorization code from the URL 4. Exchange the authorization code for an access token: shell> curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \ --user '<client_id>:<client_secret>' \ --data 'grant_type=authorization_code&redirect_uri=<redirect_uri>&code=<authorization_code>' \ https://tuleap.example.com/oauth2/token 5. The response should contain a refresh token. 6. Refresh the access token with the obtained refresh token: shell> curl -X POST -k -H 'Content-Type: application/x-www-form-urlencoded' \ --user '<client_id>:<cleant_secret>' \ --data 'grant_type=refresh_token&refresh_token=<refresh_token>' \ https://tuleap-web.tuleap-aio-dev.docker/oauth2/token Part of story #14542: have OAuth2 flow Change-Id: I1d09d8fd21c3f14dae26fbff74f021eb9711fe41

+1106 −52

Author

Thomas Gerbet (tgerbet) 2020-03-25 13:33

Committer

Thomas Gerbet (tgerbet) 2020-03-26 10:21

Hash 3a3d6a082819dc8bd0c004d60b59965831c28071

Parent c40e43d244de541dfc18f06e5395141c082f7e15

Reference git #tuleap/stable/3a3d6a082819dc8bd0c004d60b59965831c28071