-
Notifications
You must be signed in to change notification settings - Fork 108
feat(token): return the uid from the /token endpoint #3000
base: master
Are you sure you want to change the base?
Conversation
PR 3000, wooo
|
14089fd
to
182589b
Compare
182589b
to
9d3aea6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes me uncomfortable because we take care to only return an id_token if the grant contains the openid
scope, which contains the same info in sub
. With this change we are adding the uid whether requested or not and whether granted or not. While that is acceptable for requests coming from the auth-server, that falls outside of expected behavior for the general case.
Could we somehow restrict this behavior to auth-server originating calls? Or, the auth server adds the openid
scope when calling the oauth-server's /token endpoint and then remove the id_token if the RP didn't actually request it?
@@ -119,6 +119,7 @@ module.exports.generateTokens = async function generateTokens(grant) { | |||
const access = await db.generateAccessToken(grant); | |||
const result = { | |||
access_token: access.token.toString('hex'), | |||
user: access.userId.toString('hex'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if we call this sub
like we do for an id token. At least it'd be consistent. But I see verify returns user. mmm...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
another idea is to use the fxa-uid
field
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changing to "request changes" to figure out how to only return this parameter when expectations are met.
UID can be easily obtain by calling |
AFAICT the
Which is why we figured it would be OK to return it here as well. But perhaps that's an oversight rather than a deliberate behaviour. (Edit: lol, mid-air comment collision with vlad's response) |
Another option would be to only return it when the scopes explicitly allow it, e.g. when requesting |
It could be that we assumed all RPs would at least request |
This repo has been deprecated and migrated to https://github.com/mozill/fxa. Please open this PR against that repo. |
Fixes https://github.com/mozilla/fxa-auth-server/pull/2985/files#r268891903