Closed boraarslan closed 1 year ago
The osu! API doesn't return the scopes in the request response. I looked up through the source code to find a way to get the scope information somehow but failed.
There are two options: Using client credentials grant for public scope requests or making a separate request to public endpoints to test the scopes.
I feel like the first option is the intended use by osu! devs and it would save us from extra request inbetween.
I also did some research on the implementation of the oauth 2 in osu-web repository and I think it's completely handled by laravel. Which means that the authorization code grant flow code is encrypted with the key hidden in the server. That's the reason why the length of the code changes with the changing scope. But since it's encyrpted, there is no way for us to get the contents. Therefore, the only reasonable way to test scopes is to verify the length of the code string if we want to avoid extra calls.
https://github.com/ppy/osu-web/issues/10146 PR will come soon.
It is possible to manipulate the scopes when redirected to Osu! OAuth page. For example, if a user removes
public
from the query parameterscope
and we try to make an Osu! Request that depends on that scope with that user's token, API fails because of insufficient permissions.We want to know if the user granted us the correct permissions before letting them use the site.