discord / discord-api-docs

Official Discord API Documentation
https://discord.com/developers/docs/intro
Other
5.95k stars 1.26k forks source link

Wrong scope in the webhook.incoming oauth2 flow #4553

Closed rouven0 closed 2 years ago

rouven0 commented 2 years ago

Description

When performing a webhook.incoming flow the access token you get has the wrong scope.

Steps to Reproduce

Expected Behavior

I expected the response as it's described in the docs. With the "scope" being "webhook.incoming"

Current Behavior

I received the response as expected with only one discrepancy. Scope field in the response was set to applications.commands.update instead of the webhook scope. In addition to that, the access token provided was also the same as you get for applications.commands.update in the client credentials flow.

Screenshots/Videos

No response

Client and System Information

This issue is independent of platform. For testing purposes I used a simple python flask server.

mbialecka commented 2 years ago

Did you have webook.incoming scope missing or did you see extra applications.commands.update scope? Can you provide the flask server code for repro?

rouven0 commented 2 years ago

After some more testing I have to correct myself. You get all the scopes the app is authorized for but not the webhooks.incoming scope. applications.commands.update only showed up because the scope was already given the app I tested with. But the bug still persists: When testing with a fresh application the scopes field is empty while it should contain at least webhook.incoming as the docs imply so.

Here is the code you requested:

@app.route("/webhooks")
def webhook():
    data = {
        "client_id": "<Client id>",
        "client_secret": "<Client secret>",
        "grant_type": "authorization_code",
        "code": request.args.get("code"),
        "redirect_uri": "<Redirect uri>",
    }
    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    r = requests.post(
        "https://discord.com/api/v10/oauth2/token", data=data, headers=headers
    )
    r.raise_for_status()
    print(r.json())
    return "just some placeholder"

The printed result looks like this:

{
    "access_token": "<masked token>", 
    "expires_in": 604800,
    "refresh_token": "<masked token>", 
    "scope": "", 
    "token_type": "Bearer", 
    "webhook": {"the": "webhook is in here"}
}
night commented 2 years ago

This behavior is unfortunately working as intended. The returned access grant returns you the scopes granted to the user. For guild-level scopes, like bot, applications.commands, and webhook.incoming the scopes pass through entirely and are not part of the access grant.

advaith1 commented 2 years ago

so this is just a documentation issue?