google / gtm-oauth2

Google Toolbox for Mac - OAuth 2 Controllers
Apache License 2.0
126 stars 70 forks source link

GTMOAuth2Authentication.refreshScope is either useless or broken #27

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
GTMOAuth2Authentication has properties called scope and refreshScope.  Inside 
makeTokenFetchRequest on line 778 (of 
http://gtm-oauth2.googlecode.com/svn/trunk r121), the refreshScope property is 
used to set the "scope" URL parameter.  It is then potentially overwritten by 
the value of the scope property on line 794, which sets exactly the same URL 
parameter.

As far as I can see, either refreshScope was intended to set a URL parameter 
called refreshScope instead of scope (in which case it is broken right now) or 
it's a bit of old code that has been superseded and is no longer useful (since 
callers can always use scope instead).

The refreshScope property is declared in a section commented "OAuth2 standard 
protocol parameters" but I can't find a refreshScope or refresh_scope parameter 
in RFC 6749 or https://developers.google.com/accounts/docs/OAuth2WebServer, so 
I don't know what standard this is referring to, if any.

Original issue reported on code.google.com by ewanmel...@gmail.com on 13 Mar 2014 at 11:16

GoogleCodeExporter commented 9 years ago
The scope string is taken from the scope property when exchanging an access 
code for a refresh token, and from the refreshScope property when exchanging a 
refresh token for an access token, so it's not really being overwritten in that 
code. There's no public standard for a scope supplied with a refresh token, nor 
is it currently supported by Google, though individual OAuth 2 servers may 
allow a scope specification during that exchange.

Original comment by grobb...@google.com on 13 Mar 2014 at 11:52