search

teranetsrl / oauth2_client

Simple Dart library for interacting with OAuth2 servers.
BSD 2-Clause "Simplified" License
96 stars 112 forks source link

OAuth2Helper.getToken() does not use store if no scopes were specified for GitHub #159

Open yfakariya opened 1 year ago

yfakariya commented 1 year ago

I found that when I use OAuth2Helper.getToken() to authorize for GitHub API using GitHubOAuth2Client, the cached token is not used in next call.

Expected behavior

The cached token in token store is used even when scope is not spefied for GitHub API.

Actual behavior

The cached token in token store is not used when scope is not spefied for GitHub API.

Note

I investigated the cause, and I found that GitHub API returns ..., "scope": "" for no scopes, but AccessTokenResponse.fromHttpResponse assumes that scope is null or empty list ([]), does not assume empty string ("") (see here). So, a map which has an empty string entry (that is, "scope": [""]) is returned and it is serialized to the token store. Then, in next call, scope comparison in token store fails because input scopes is empty list although saved scopes is a list with one empty string, so the cached access token is not used.

Repro code

    final client = GitHubOAuth2Client(
      customUriScheme: 'http://127.0.0.1:3000',
      redirectUri: 'http://127.0.0.1:3000/something',
    );

    final helper = OAuth2Helper(
      client,
      clientId: '<Client ID registered in GitHub>',
      clientSecret: '<Client Secret gotten from GitHub>',
    );
    // The browser is shown
    final token1 = await helper.getToken();
   // The browser shown again because the cache is not used.
    final token2 = await helper.getToken();