Unknown scope policy - Reject does not cause a clear error handling

[Aaron-Ritter]

Unknown scope policy - Reject does not cause a clear error handling

Description

Unknown scope policy - Reject.

Does not show / cause an error and is just stuck on a blank page:

Affects versions

FusionAuth 1.50.1 FusionAuth Android SDK 0.1.1

Steps to reproduce

Steps to reproduce the behavior:

1. Leave Scope definition in the app/src/main/res/raw/fusionauth_config.json
2. Go to the Example Android App Applicatoin > Scope
3. Disable the profile and/or email Scope
4. Try to login through the Demo App

Expected behavior

Based on the Description of the Unknown scope policy definition Reject it should Reject it by failing the workflow and return an error.

Platform

(Please complete the following information)

• Device: Medium Phone API 29
• OS: Android 10.0 x86
• Chrome
• FusionAuth version 1.50.1

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

[alex-fusionauth]

@Aaron-Ritter does this happen on 1.49?

[Aaron-Ritter]

@alex-fusionauth this is only related to the new scope feature introduced in 1.50, all previous releases are working at least the ones we tested with 1.46 and up.

As we are providing the UserInfo feature with the SDK this started to fail with the FusionAuth 1.50 release for two reasons (Already addressed in https://github.com/FusionAuth/fusionauth-android-sdk/pull/63):

1. UserInfo was expecting that there is always a return value for certain fields which with the new scope feature if not requested won't be returned in the default configuration. (It would be less strict if a old FusionAuth environment got upgraded)
2. We wheren't requesting the new email and profile scope. This was previously returned by default.

The already merged PR https://github.com/FusionAuth/fusionauth-android-sdk/pull/63 addressed this.

During further testing with the new implementation I was making sure that other scenarios with the new scope feature are working as expected, where i found this other issue. It looks at the moment as if the blank return page is a issue coming from FusionAuth itself but we need to dig in to this next week.

[Aaron-Ritter]

This might have been a Emulator issue, i was not able to reproduce it with a new setup.

it is now redirecting back with an error.

2024-05-21 16:01:23.382  5796-5822  EGL_emulation           io.fusionauth.app                    D  app_time_stats: avg=20.80ms min=8.09ms max=73.94ms count=43
2024-05-21 16:01:23.622  5796-5796  TokenActivity           io.fusionauth.app                    I  Checking for authorization response
2024-05-21 16:01:23.628  5796-5796  TokenActivity           io.fusionauth.app                    E  Failed to exchange authorization code
                                                                                                    io.fusionauth.mobilesdk.exceptions.AuthorizationException: State mismatch
                                                                                                        at io.fusionauth.mobilesdk.oauth.OAuthAuthorizationService$handleRedirect$2.invokeSuspend(OAuthAuthorizationService.kt:178)
                                                                                                        at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
                                                                                                        at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:104)
                                                                                                        at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:584)
                                                                                                        at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:811)
                                                                                                        at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:715)
                                                                                                        at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:702)
2024-05-21 16:01:23.956  5796-5822  OpenGLRenderer          io.fusionauth.app                    D  endAllActiveAnimators on 0x7a21291fec10 (InsetDrawable) with handle 0x7a209961b8f0
2024-05-21 16:01:24.599  5796-5796  WindowOnBackDispatcher  io.fusionauth.app                    W  sendCancelIfRunning: isInProgress=falsecallback=android.view.ViewRootImpl$$ExternalSyntheticLambda17@656095f
2024-05-21 16:01:25.392  5796-5822  EGL_emulation           io.fusionauth.app                    D  app_time_stats: avg=187.52ms min=16.52ms max=1004.30ms count=8

[Aaron-Ritter]

The "State mismatch" is indicating that the actual error is not handled, and the redirect shown in the logs is pointing to a scope issue dat=io.fusionauth.app:/oauth2redirect?error=invalid_scope&error_reason=unknown_scope&error_description=Invalid+scope.+The+scopes+[profile]+are+unknown.&state=state-1716300975362.

So in summary, the blank page and no redirect happening is more likely an emulator issue, even it was reproducible in that one emulator at the time, none of the tests cause the same issue now.

But the scope error is something we should handle in the SDK.

2024-05-21 16:16:24.572   513-580   ActivityTaskManager     system_server                        I  START u0 {act=android.intent.action.VIEW cat=[android.intent.category.BROWSABLE] dat=io.fusionauth.app:/oauth2redirect?error=invalid_scope&error_reason=unknown_scope&error_description=Invalid+scope.+The+scopes+[profile]+are+unknown.&state=state-1716300975362 flg=0x14000000 cmp=io.fusionauth.app/net.openid.appauth.RedirectUriReceiverActivity (has extras)} from uid 10116
2024-05-21 16:16:24.865   513-580   ActivityTaskManager     system_server                        I  START u0 {dat=io.fusionauth.app:/oauth2redirect?error=invalid_scope&error_reason=unknown_scope&error_description=Invalid+scope.+The+scopes+[profile]+are+unknown.&state=state-1716300975362 flg=0x24000000 cmp=io.fusionauth.app/net.openid.appauth.AuthorizationManagementActivity} from uid 10154
2024-05-21 16:16:24.872   513-580   ActivityTaskManager     system_server                        W  Duplicate finish request for r=ActivityRecord{d587f13 u0 io.fusionauth.app/net.openid.appauth.RedirectUriReceiverActivity t9 f}}
2024-05-21 16:16:24.967   513-816   ActivityTaskManager     system_server                        I  START u0 {dat=io.fusionauth.app:/oauth2redirect?error=invalid_scope&error_reason=unknown_scope&error_description=Invalid+scope.+The+scopes+[profile]+are+unknown.&state=state-1716300975362 cmp=io.fusionauth.app/io.fusionauth.sdk.TokenActivity (has extras)} from uid 10154
2024-05-21 16:16:24.968   513-816   ActivityTaskManager     system_server                        W  startActivity called from non-Activity context; forcing Intent.FLAG_ACTIVITY_NEW_TASK for: Intent { dat=io.fusionauth.app:/oauth2redirect?error=invalid_scope&error_reason=unknown_scope&error_description=Invalid+scope.+The+scopes+[profile]+are+unknown.&state=state-1716300975362 cmp=io.fusionauth.app/io.fusionauth.sdk.TokenActivity (has extras) }
2024-05-21 16:16:25.888  4061-4061  TokenActivity           io.fusionauth.app                    I  Checking for authorization response
2024-05-21 16:16:25.980  4061-4061  TokenActivity           io.fusionauth.app                    E  Failed to exchange authorization code
                                                                                                    io.fusionauth.mobilesdk.exceptions.AuthorizationException: State mismatch
                                                                                                        at io.fusionauth.mobilesdk.oauth.OAuthAuthorizationService$handleRedirect$2.invokeSuspend(OAuthAuthorizationService.kt:178)
                                                                                                        at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
                                                                                                        at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:104)
                                                                                                        at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:584)
                                                                                                        at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:811)
                                                                                                        at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:715)
                                                                                                        at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:702)
2024-05-21 16:16:26.308   513-556   ActivityTaskManager     system_server                        I  Displayed io.fusionauth.app/io.fusionauth.sdk.TokenActivity: +1s257ms