Should post really be required for authorization requests?

[ephracis]

I noticed that during a second login (using Devise) the plugin will re-ask for authorization and create yet another token. If the user has already authorized the app, s/he should not be bothered to do it again, at least not until s/he revokes the token.

By removing the requirement for the request to be POST the issue is now gone.

[zeantsoi]

When dropping this into my own code, I've noticed that this bypasses user authorization for all requests, not just subsequent logins for users who have already authorized the app. This means that new users are automatically granted access tokens regardless of whether they have previously authorized the app or not.

Are you experiencing a similar behavior?

Using Rails 3.1.0 and oauth-plugin 0.4.0.rc2.

[ephracis]

Can't say that I am. In my setup the user is always asked to authorize the app during the first login procedure. Perhaps this could be tied to differences in the authentication solutions. I am using Devise. Did you even experience the bug I am trying to fix, btw?

       Christoffer

On Mon, Jan 30, 2012 at 7:14 PM, zeantsoi < reply@reply.github.com

wrote:

When dropping this into my own code, I've noticed that this bypasses user authorization for all requests, not just subsequent logins for users who have already authorized the app. This means that new users are automatically granted access tokens regardless of whether they have previously authorized the app or not.

Are you experiencing a similar behavior?

---

Reply to this email directly or view it on GitHub: https://github.com/pelle/oauth-plugin/pull/107#issuecomment-3724356

[zeantsoi]

I'm using Devise as well. I am experiencing the behavior that you're describing (i.e., non-POST requests are asked for re-authorization and granted another token), but perhaps that is because in my environment, new request/access token pairs are generated for each login regardless or whether the user has previously authorized the application.

Are you saying that only one request/access token pair should be granted to the user upon authorization? If so, I'm not sure where in the gem lies the mechanism for re-assigning that pair to its respective user upon subsequent sign ins...

[ephracis]

I am not knowledgeable enough to comment on how exactly to solve this but I think that it's important to only ask for auth once (until revoke). I ended up with the same app appearing several times as authed.

If my patch breaks things for some setups it might need revision. It works as expected for me though. Only one auth per app. :)

On Jan 31, 2012 5:57 PM, "zeantsoi" < reply@reply.github.com> wrote:

I'm using Devise as well. I am experiencing the behavior that you're describing (i.e., non-POST requests are asked for re-authorization and granted another token), but perhaps that is because in my environment, new request/access token pairs are generated for each login regardless or whether the user has previously authorized the application.

Are you saying that only one request/access token pair should be granted to the user upon authorization? If so, I'm not sure where in the gem lies the mechanism for re-assigning that pair to its respective user upon subsequent sign ins...

---

Reply to this email directly or view it on GitHub: https://github.com/pelle/oauth-plugin/pull/107#issuecomment-3742944

[zeantsoi]

I actually got my app working correctly, i.e., one authorization token per user. Looks like the problem was a bad setup, not related to the issue you've opened up here. Sorry about that.

For me, circumventing the issue described (users who have authorized are still asked for authorization upon subsequent logins) required not only your patch, but modifying the user_authorizes_token? method in oauth_controller.rb to return true if the user has an associated authorization token. Just an FYI, might just be a screwy thing with my environment.

[ephracis]

Ah great. I will check it out when I get home. I'm at the hospital now, just got a daughter. :)

On Feb 3, 2012 8:12 PM, "zeantsoi" < reply@reply.github.com> wrote:

I actually got my app working correctly, i.e., one authorization token per user. Looks like the problem was a bad setup, not related to the issue you've opened up here. Sorry about that.

For me, circumventing the issue described (users who have authorized are still asked for authorization upon subsequent logins) required not only your patch, but modifying the user_authorizes_token? method in oauth_controller.rb to return true if the user has an associated authorization token. Just an FYI, might just be a screwy thing with my environment.

---

Reply to this email directly or view it on GitHub: https://github.com/pelle/oauth-plugin/pull/107#issuecomment-3802413

[chrisupb]

By the way: Should authorize not send the resource owner id back to the app? How do I inform the mobile client about who is currently using the app and which access_token it has to use from the database?

Is this scenario right: App always opens the provider's authorize-url (=login page). Resource owner logs in and IF he already authorized the app, his id is send back to the app. App searches for the right access_token and uses it for requests.

[zeantsoi]

Congratulations, @ephracis! Hope you're managing to get more than two hours of sleep a night.

@chrisupb, the authorize! method (not sure there's an authorize) will only return true/false... so no, it doesn't return the resource owner id by default. I'm sure it could be modified to if needed, however. The general flow you've described sounds right to me, but this thread is about removing the need to open the authorization page on logins subsequent to the initial authorization. You might want to read some other threads if you're looking for a different sort of behavior.

[pelle]

Authorization is done by redirect or a link from some external site so the initial page must be get. The actual authorization is done with a post.

There must be something going on with Devise or warden. Not quite sure what thought.