Hi,
It would be useful to be able to expose the scope of a given OAuth2 token in the
GraphQL API. Some programs (hut, hottub) are able to receive a copy-pasted
personal access token from the user, and want to figure out exactly what
permission they have for the token. This can be supported via OAuth2 token
introspection: the introspection endpoint (already implemented by meta.sr.ht)
can return the scope of the token (that part is unimplemented at the moment).
I see two ways of implementing this:
- Add a myOauthScope query to the GraphQL API alongside the existing
myOauthGrant query. Decode the token and extract the scope in the
GraphQL resolver. Use that in the meta.sr.ht token intropsection
endpoint handler.
- Add an OAuthGrant.scope field to the GraphQL API. Since the DB only stores
the token hash, we'll need to add a new "scope" field in the DB. The
upside is that we'd be able to display the scope of each token in the
meta.sr.ht OAuth 2 dashboard.
Which solution would you prefer?
Simon
On Sun, Aug 20, 2023 at 11:16:02AM +0000, Simon Ser wrote:
> Hi,> > It would be useful to be able to expose the scope of a given OAuth2 token in the> GraphQL API.
[...]
> I see two ways of implementing this:
[...]
> - Add an OAuthGrant.scope field to the GraphQL API. Since the DB only stores> the token hash, we'll need to add a new "scope" field in the DB. The> upside is that we'd be able to display the scope of each token in the> meta.sr.ht OAuth 2 dashboard.
I think the dashboard part is the winning argument here.
Rene
While implementing refresh tokens, I found out that this is also a
prerequisite. We need to be able to get back the grants from the DB
without having the access token at hand.