When obtaining the token through auth2 concurrently, only the scope value is different, but the returned token is the same

go-oauth2 / oauth2

OAuth 2.0 server library for the Go programming language.

https://pkg.go.dev/github.com/go-oauth2/oauth2/v4

MIT License

3.31k stars 563 forks source link

When obtaining the token through auth2 concurrently, only the scope value is different, but the returned token is the same #245

Closed Lewis-liuwei closed 1 year ago

Lewis-liuwei commented 1 year ago

When obtaining the token through auth2 concurrently, only the scope value is different, but the returned token is the same

The params: data := url.Values{} data.Set("grant_type", "client_credentials") data.Set("scope", fmt.Sprintf("viewer:%s:%s:%s", req.FileId, req.ViewerType, req.AppKey)) data.Set("client_id", req.AppId) data.Set("client_secret", req.AppKey)

return:

Lewis-liuwei commented 1 year ago

We have found the problem. The key point is the UserID in the token. When the token is obtained through client_credentials, the UserID is set to be empty, resulting in the same token returned under concurrent conditions. At present, the md5 encryption of the scope has been assigned to UserID, problem solved