rfk
commented
6 years ago So as a quick update, I've got WIP PRs for each of the three servers:
- https://github.com/mozilla/fxa-auth-server/pull/2501
- https://github.com/mozilla/fxa-oauth-server/pull/551
- https://github.com/mozilla/fxa-profile-server/pull/329
I'm mostly happy with how the shared API has supported them, despite each approaching scope checking in a different way. It has definitely removed a lot of duplicated (and often implicit) logic about how our scopes work.
Things that remain:
- I don't like the way the oauth-server PR has to do a lot of parsing and seralizing of
Scopeobjects, will take a look at the API to see if that can be simplified away - The oauth-server tests are failing because the current implementation of
Scope.add()is not symmetric and does not always remove duplicates, so I need to fix that up. - The current implementation of
Scope.addis quadratic in the number of scopes, so merging these would re-introduce the issue from https://github.com/mozilla/fxa-oauth-server-private/pull/9. I need to revisit the implementation in fxa-shared to make it linear. On the plus side, that fix can now be shared!
I won't get a chance to work on these anymore this week, but will try to revisit on Monday. It will be OK if they are still pending review when we cut train-116, but I'll aim to at least have them ready.
vladikoff
(I'm spinning this out as an issue from https://github.com/mozilla/fxa-oauth-server/pull/551 so that I can link all the PRs in waffle)
While working on adding OAuth support for sync, I figured we should have a canonical reference for what sorts of scope we support and how we check for matches. This issue is to track:
Here's the rendered view of the WIP documentation:
https://github.com/mozilla/fxa-oauth-server/blob/scopes-documentation/docs/scopes.md