Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

stable

Clone or download

Read-only

An access token can be refreshed with a reduced set of scopes

Download Browse

The optional 'scope' paramater is now taken into account when using a refresh token. To test (if app force the usage of PKCE you need to add the required parameters to the following instructions): 1. In the project admin create an OAuth2 app (note the ID and the given secret) 2. Access the authorize page at the URL https://tuleap.example.com/oauth2/authorize?client_id=<client_id>&scope=offline_access%20read:project&response_type=code&redirect_uri=<redirect_uri> 3. Quickly retrieve (it is valid only 1 minute) the authorization code from the URL 4. Exchange the authorization code for an access token: shell> curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \ --user '<client_id>:<client_secret>' \ --data 'grant_type=authorization_code&redirect_uri=<redirect_uri>&code=<authorization_code>' \ https://tuleap.example.com/oauth2/token 5. The response should contain a refresh token. 6. Refresh the access token with the obtained refresh token and a reduced set of scopes: shell> curl -X POST -k -H 'Content-Type: application/x-www-form-urlencoded' \ --user '<client_id>:<cleant_secret>' \ --data 'grant_type=refresh_token&refresh_token=<refresh_token>&scope=read:project' \ https://tuleap-web.tuleap-aio-dev.docker/oauth2/token 7. You should a new access token with the read:project and no refresh token has the scope offline_access has not been set when refreshing the token Part of story #14542: have OAuth2 flow Change-Id: Icfc67217bfe1fbba461bfb4a0ae67b5d7edb17f2

+263 −8
Thomas Gerbet (tgerbet) 2020-03-26 12:16
Thomas Gerbet (tgerbet) 2020-03-26 12:16
bda090fa6d59985061999cddf480f1ee852b5e44
0ba97ac0e5d58fe108ce9b5dfd1ae86053aef130
git #tuleap/stable/bda090fa6d59985061999cddf480f1ee852b5e44

Modified Files

Side by side diff
Inline diff
Name
M plugins/oauth2_server/include/AuthorizationServer/AuthorizationEndpointGetController.php +10 −1 Go to diff View file
M plugins/oauth2_server/include/Grant/AccessTokenGrantErrorResponseBuilder.php +6 −0 Go to diff View file
M plugins/oauth2_server/include/Grant/RefreshToken/OAuth2GrantAccessTokenFromRefreshToken.php +24 −1 Go to diff View file
M plugins/oauth2_server/include/RefreshToken/OAuth2RefreshToken.php +31 −0 Go to diff View file
A plugins/oauth2_server/include/RefreshToken/OAuth2ScopeNotCoveredByOneOfTheScopeAssociatedWithTheRefreshTokenException.php +37 −0 Go to diff View file
R plugins/oauth2_server/include/AuthorizationServer/InvalidOAuth2ScopeException.php Go to diff View file
R plugins/oauth2_server/include/AuthorizationServer/ScopeExtractor.php Go to diff View file
M plugins/oauth2_server/include/oauth2_serverPlugin.php +4 −2 Go to diff View file
M plugins/oauth2_server/phpunit/AuthorizationServer/AuthorizationEndpointGetControllerTest.php +11 −2 Go to diff View file
M plugins/oauth2_server/phpunit/Grant/AccessTokenGrantErrorResponseBuilderTest.php +9 −0 Go to diff View file
M plugins/oauth2_server/phpunit/Grant/RefreshToken/OAuth2GrantAccessTokenFromRefreshTokenTest.php +53 −1 Go to diff View file
M plugins/oauth2_server/phpunit/RefreshToken/OAuth2RefreshTokenTest.php +78 −1 Go to diff View file
R plugins/oauth2_server/phpunit/AuthorizationServer/ScopeExtractorTest.php Go to diff View file