Closed rouven0 closed 2 years ago
Did you have webook.incoming
scope missing or did you see extra applications.commands.update
scope? Can you provide the flask server code for repro?
After some more testing I have to correct myself. You get all the scopes the app is authorized for but not the webhooks.incoming
scope. applications.commands.update
only showed up because the scope was already given the app I tested with.
But the bug still persists: When testing with a fresh application the scopes
field is empty while it should contain at least webhook.incoming
as the docs imply so.
Here is the code you requested:
@app.route("/webhooks")
def webhook():
data = {
"client_id": "<Client id>",
"client_secret": "<Client secret>",
"grant_type": "authorization_code",
"code": request.args.get("code"),
"redirect_uri": "<Redirect uri>",
}
headers = {"Content-Type": "application/x-www-form-urlencoded"}
r = requests.post(
"https://discord.com/api/v10/oauth2/token", data=data, headers=headers
)
r.raise_for_status()
print(r.json())
return "just some placeholder"
The printed result looks like this:
{
"access_token": "<masked token>",
"expires_in": 604800,
"refresh_token": "<masked token>",
"scope": "",
"token_type": "Bearer",
"webhook": {"the": "webhook is in here"}
}
This behavior is unfortunately working as intended. The returned access grant returns you the scopes granted to the user. For guild-level scopes, like bot
, applications.commands
, and webhook.incoming
the scopes pass through entirely and are not part of the access grant.
so this is just a documentation issue?
Description
When performing a webhook.incoming flow the access token you get has the wrong scope.
Steps to Reproduce
webhook.incoming
scopeExpected Behavior
I expected the response as it's described in the docs. With the "scope" being "webhook.incoming"
Current Behavior
I received the response as expected with only one discrepancy. Scope field in the response was set to
applications.commands.update
instead of the webhook scope. In addition to that, the access token provided was also the same as you get forapplications.commands.update
in the client credentials flow.Screenshots/Videos
No response
Client and System Information
This issue is independent of platform. For testing purposes I used a simple python flask server.