Uber authorization with privileged scopes not working

[IrakliZ]

According to the Uber documentation, when authorizing, the response_type must be code, but looking at line 30 on oauth.uber.js the response type is token. This seems to be working for every general scope (different scopes can be found here), but when authorizing for the privileged ones such as request, Uber responds with the following: "ERROR REQUESTED SCOPE NOT VALID FOR IMPLICIT GRANT".

[nraboy]

I'm wondering if Uber dropped support for implicit grants, although it is normal for implicit grants to receive less permissions than explicit.

This is a tough call. Technically, explicit grants should never be used in a client facing application. This is because the keys are so easily obtainable from a decompile app. I know ng-cordova-oauth violates this rule quite a bit, but as I always say, use at your own risk.

So the question is, do we leave the implicit grant because it is (or may be) available, or do we switch to the explicit version. I'm leaning more on the implicit.

@matheusrocha89 @IrakliZ any opinions?

[matheusrocha89]

I'm leaning more on the implicit version too. The Hybrid apps are not secure yet to save keys, if you get the apk and just unzip it you will get all the code and keys without hard work.

[IrakliZ]

I think you're right, keeping the implicit grant is a good idea, but it could be changed so that the user could request the authorization code as well instead of just the token. I didn't think about it until now but it's a bit weird how Uber used to allow implicit grants for scopes such as request, which allows developers to make ride requests on behalf of the users.

[nraboy]

When working with implicit grants you cannot get the code. That makes it an explicit grant. It is an either or kind of deal, not both.

Maybe open a ticket with Uber and ask why their auth API changed?

[IrakliZ]

I'm not very experienced with this so please feel free to correct me. What I was trying to suggest in my previous comment was that you could allow users to get the access_token with implicit grant for privileged scopes (which is currently the case), or let them request the authorization_code (which you can do by changing the response_type to be code) which they'll use to get the access_token themselves. Thinking about it now, it seems like a bit of a hack because you'd be doing both implicit grant and the first step of the code grant in the same place.

[nraboy]

I see what you're saying now.

It seems a bit hacky. Instead of throwing this ticket out, I'm going to leave it open for a while and see if anyone else adds to it. This is a very unique situation that I've not run into yet with this library.

If you know anyone else using Uber APIs, please point them here so they can add their two-cents.

Thanks,