500 Server Error with TikTok

[nexxai]

Got a weird one here. I've set up the TikTok provider and have gone through the application process with TikTok. I've requested and been approved for the user.info.basic and user.info.profile scopes.

The weirdness happens when I actually try to login with a TikTok account. I get sent to the correct oAuth approval screen and I correctly approve it, but when I get redirected to my app, my app throws a 500 Server Error.

The redirect URI I get sent back to is https://MYAPP/auth/tiktok/callback?code=2-vF-hhkIvD34ZPoyBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAH81jiR34sCen7wwmI-995ebt9N22PbSZ2AMw5BLAHBLAHBLAHBLAHBLAHBLAHBLAHBLAHbkwvitP-IsmA_vELfgqBLAHBLAHtMfS89IETiVvcBLAHBLAHBLAHBLAHBLAHBLAHseH6PgqnJXjP8MdSyGN0PsCcw-stSV26%2A1%214608.va&scopes=user.info.basic&state=zYVWqwVR5GJBLAHBLAHBLAHBLAH

And it shows that the scopes value is user.info.basic, a scope I've been approved for, but if I check storage/logs/laravel.log, I see this error:

[2024-04-23 22:51:33] production.ERROR: Client error: `GET https://open.tiktokapis.com/v2/user/info/?fields=open_id%2Cunion_id%2Cdisplay_name%2Cavatar_large_url%2Cusername` resulted in a `401 Unauthorized` response:
{"error":{"code":"scope_not_authorized","message":"The user did not authorize the scope required for completing this req (truncated...)
 {"exception":"[object] (GuzzleHttp\\Exception\\ClientException(code: 401): Client error: `GET https://open.tiktokapis.com/v2/user/info/?fields=open_id%2Cunion_id%2Cdisplay_name%2Cavatar_large_url%2Cusername` resulted in a `401 Unauthorized` response:
{\"error\":{\"code\":\"scope_not_authorized\",\"message\":\"The user did not authorize the scope required for completing this req (truncated...)
 at /home/[MYAPP]/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php:113)

Does anyone have any insight as to why this might be happening?

[nexxai]

Just for posterity's sake:

[nexxai]

Created PR here: https://github.com/SocialiteProviders/Providers/pull/1199

[atymic]

@nexxai does the provider by default request access to fields outside of the ones with the default scope? You should call ->scopes() when you use the redirect method to set custom scopes, as this PR changes the default for all users which will break anyone not approved for this scope

[nexxai]

I will try using the ->scopes() method and update this thread, but according to the docs, it says this scope should be required anyways.

[nexxai]

Ok, I can confirm that using this worked:

    return Socialite::driver('tiktok')
            ->scopes(['user.info.basic', 'user.info.profile'])
            ->redirect();

That said, I still think the default should be to include user.info.profile since you can't technically use Socialite with its defaults for logging in to your Laravel app without it.

[atymic]

Hmm. Which field is included by default that triggers the error? ie required the profile scope? We can release a new major version to make sure we dont break existing.

[nexxai]

I couldn't tell which specific field was triggering the error; the only error message I got was the one I posted in the OP of this thread and it gets truncated before it specifies the missing field.

At the end of the day, a new major version probably makes the most sense since it is definitely a breaking change, but also aligns the intent of the Socialite provider with the reality of what TikTok is providing, and also aligns with the documentation we already have in the repo.

[atymic]

Okay, looking at the docs, username required that scope, which was broken by #1110 Fixed in #1183

[atymic]

There is no BC break now, add the scope if you want the username