Details
-
Task
-
Resolution: Fixed
-
P2: Important
-
None
-
None
-
All
-
5
-
571b71763 (dev)
-
Foundation Sprint 112, Foundation Sprint 113, Foundation Sprint 114
Description
The application may request to authorize access for multiple scopes. For instance, it may need access to both calendar and email resources.
However the user (or the policy of the authorization server) may accept some, all, or none of these scopes, and the application must be prepared to adjust to scenario where only some scopes were permitted. This task is about introducing a convenience method for accessing the currently accepted scopes.
Currently there is scope property which holds "desired scope", in other words, not the actual accepted scope. By looking at the implementation though it is a bit unclear if this scope parameter actually servers two roles (desired and result), in which case they should be separated. It also looks like the scope can be received during authorization stage as well as part of the access_token acquisition stage.
Also it's worth noting QTBUG-85265; with some vendors the scope parameter may be %-encoded in authorization stage.
Checking for '%' character (or simply decoding always) should be done.
The RFC specifies the server response here.
Note that as stated in the RFC, if the server omits 'scope' in its response we assume that the scopes
were accepted as-requested. This needs to be documented into the new function's documentation as
this may or may not be true for some server implementations (even though it's an RFC MUST).
Attachments
Issue Links
- clones
-
-
- Closed
-
- is cloned by
-
-
- Closed
-
- relates to
-
QTBUG-66415 Access token callback clears scope
-
- Closed
-