oauth2_server_db.pl question

[danjboyd]

I was noticing that the user_id was getting dropped from the JWT/access token after I refreshed with a refresh token.

Looking at the sample code, under

my $verify_access_token_sub = sub {
  my ( %args ) = @_;

  my ( $c,$access_token,$scopes_ref,$is_refresh_token )
        = @args{qw/ mojo_controller access_token scopes is_refresh_token /};

  my $rt = $c->db->get_collection( 'refresh_tokens' )->find_one({
    refresh_token => $access_token
  });

  if ( $is_refresh_token && $rt ) {

    if ( $scopes_ref ) {
      foreach my $scope ( @{ $scopes_ref // [] } ) {
        if ( ! exists( $rt->{scope}{$scope} ) or ! $rt->{scope}{$scope} ) {
          $c->app->log->debug(
            "OAuth2::Server: Refresh token does not have scope ($scope)"
          );
          return ( 0,'invalid_grant' );
        }
      }
    }

    return $rt;     # <-- just returning a scalar here

if it's a refresh token, we ultimately just return $rt.

But, that method is ultimately called from Mojolicious::Plugin::OAuth2::Server.pm in the _verify_credentials sub:

if ( $grant_type eq 'refresh token' ) {
  ( $client,$error,$scope,$user_id ) = $Grant->verify_token_and_scope(   <-- this calls verify_access_token_sub
                                                                             and is expecting 4 return variables
                                                                             including $user_id
    refresh_token =>   $refresh_token,
    auth_header =>     $self->req->headers->header( 'Authorization' ),
    mojo_controller => $self,
  );
  $old_refresh_token = $refresh_token;
...

[danjboyd]

In my code, I have just replaced return $rt; with return ( $rt, undef, $rt->{scope}, $rt->{user+id} );

but wanted to confirm that's how things were intended to work

[leejo]

Yeah, this is probably a failure to update the example code after changes to the lib. Will fix shortly.