Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
[OAuth] The state parameter is empty when "invalid_scope" error
See original GitHub issueContext
I have an user that only have permissions over some tables inside a schema. If I try to make a request to the OAuth service including any dataset for a table to which my user does not have permissions, I get an error response (as expected) but my state parameter is not properly preserved.
Current Result
When I execute the request:
https://<user>.carto.com/oauth2/authorize?scope=datasets:r:SCHEMA.TABLE_WITHOUT_PERMISSIONS&redirect_uri=http://example.com&state=MY_STATE&client_id=MY_CLIENT_ID&response_type=code
I get the following redirection (note the empty state value):
http://example.com?error=invalid_scope&error_description=Unsupported+scopes:+datasets:r:SCHEMA.TABLE_WITHOUT_PERMISSIONS&state=
Expected result
I was expecting to get the same provided state:
MY_REDIRECT_URI?error=invalid_scope&error_description=Unsupported+scopes:+datasets:r:SCHEMA.TABLE_WITHOUT_PERMISSIONS&state=MY_STATE
Issue Analytics
- State:
- Created 3 years ago
- Comments:11 (10 by maintainers)
Top Results From Across the Web
State parameter not preserved in authentication error response
When a client is requesting authentication with invalid scopes, ... Notice that the state parameter is empty, however the error is correct.
Read more >Solved: OAuth2 empty scope does not behave correctly
Solved: According to the OAuth2 Authorization documentation , the `scope` is a nullable String: scope String? This parameter allows your user to authorize...
Read more >What could cause the original 'OAuth2' state parameter to be ...
' The state param is first put into the session then the request goes out to facebook and the request comes back with...
Read more >Solved: Invalid Scope error on RefreshAccessToken
Solved: I'm integrating an Apigee oauth proxy with an off-the-shelf client library, but when it sends a refresh_token request to apigee, ...
Read more >Possible Errors - OAuth 2.0 Simplified
If one or more parameters are invalid, such as a required value is missing, or the response_type parameter is wrong, the server will...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
PR created with the fix: https://github.com/CartoDB/cartodb/pull/15684
@alasarr There’s no short answer for that. Let me explain (sorry for the long text).
The underlying problem is: right now there is no way of obtaining a token that has read permissions for all the datasets of a user.
The workaround we came up with for AENA was to ask the user. Before login, the user chooses from a list of airports he wants to access. With that information we form the scopes, and we do the login. However, we ended up with the problem described in this issue: if the user tries to access an airport he doesn’t have permissions for, the OAuth throws an “invalid scope” error, but the backend is not able to manage the redirection to the frontend as it does not include the state parameter. The main consequence is simply a bad UX.
A couple of weeks ago (long after this workaround was implemented) I had a chat with @alrocar and he explained there is a way to do a double login process that would enable to do what we want to do without asking the user. The process would be:
datasets:metadata.api/v4/datasets.We did not know this process was possible, otherwise we would have opted for this instead of asking the user.
A definite solution would be to have a “wildcard” option for the scopes, and be able to do something like
datasets:r. @alrocar mentioned this has been in talks for a while, and in my opinion it’s a feature that will be valuable for many PS projects, present and future. It will also simplify the integration of CARTO’s OAuth.In conclusion, if this issue is not fixed, we could: