[SSOv2] If no scopes are provided, sso returns HTTP 400 Bad Request after selecting a character that never logged in SSOv2

[Kyria]

Bug

When I try to log in SSO using no scope at all, in some circumstances, SSO is throwing a HTTP 400: Bad Request just after selecting the character in the UI.

"Some circumstances" mean you have to never (or maybe just not recently) have logged in using EVE SSO v2 with any scopes with a specific character to have this error happen.

If you logged once with any scope, you won't have it anymore.

Reproduction Steps

1. Go to the authorize URL, without any scope URL used for my test: https://login.eveonline.com/v2/oauth/authorize?response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A5010%2Fsso%2Fcallback&client_id=1b4e28b61f544fc5a12f89a08ce428ba&state=some_state
2. Log in
3. Select a character you never ever used with the SSO V2 and click authorize

Actual Behaviour

You get HTTP 400

Expected Behaviour

Redirected to the application, with the code information, like the v1 SSO would do.

[Ionaru]

This makes it impossible to use SSOv2 for authentication-only apps, doesn't it?

[Kyria]

it's probably the case, unless the character already logged in SSOv2 somewhere else (didn't test it since i opened the issue, so I don't remember, even if i'm sure i've tested that case)

[Ionaru]

EDIT: The error 500 was related to crappy code on my part. Please ignore this comment.

For some reason I am able to get past the initial 400 with one character, but get a 500 Internal Server Error from https://login.eveonline.com/v2/oauth/token... with the message: 'An error has occurred.'

Other characters, and even the one I originally had in the above situation, failed when I added a scope to my URL.

My full URL looks like this:

https://login.eveonline.com/v2/oauth/authorize?response_type=code&redirect_uri=http://localhost:3000/sso/auth-callback&client_id=899b84c26c824c129faeb0e6737bac72&state=If5NCUwfuJn3OWc&scopes=esi-skills.read_skills.v1

I've tried encoding the redirect_uri but that did not change anything.

The 400 comes from this URL:

https://login.eveonline.com/v2/oauth/authorizeapp?state=8e1e6de2-27aa-4ec5-a742-02e14d29fce2

What's going wrong here?

[CarbonAlabel]

This bug is still occurring, and I've noticed that the "workaround" seems to be on a per character, per app basis. That is, authorization with no scopes will only work if you have previously gone through an authorization (with scopes) with that character, on that specific app. Trying to authorize with such a character on a different app will fail as described in the issue.

@Ionaru Don't know what's causing your error, but since it's not dependent on inclusion of scopes, I find it unlikely it's the same one. Might be best to open another issue about it.

[Ionaru]

You can work around this by authorizing with the publicData scope. This will not give your app any data it normally wouldn't have and you can successfully complete the SSO.

Not the prettiest of solutions though.

[Kyria]

This won't work for "authorization only" app.

[Ionaru]

You can also reproduce this on https://esi.evetech.net/ui/

1. Navigate to https://esi.evetech.net/ui/.
2. Click "authorize".
3. Scroll to the bottom of the scopes window without selecting any scopes.
4. Click "authorize".
5. Log in with a character that has never logged into the app before.
6. Get a "Bad Request" screen.

[Ermineia]

Another workaround for "authorization only" app is to have scope= to the authorization url. That allowed the https://login.eveonline.com/v2/oauth/authorizeapp?state=.... to get to the next screen confirming that the user is only authenticating with no scopes enabled.

[stebet]

This is being worked on :)