Uploaded image for project: 'PUBLIC - OAuth2'
  1. PUBLIC - OAuth2
  2. OAUTH2-214

OAuth2 applications sometimes do not pick up new application scopes for already assigned scope aliases

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: Master, 1.0-portal_7.1.0, 1.1-marketplace_7.1.0
    • Fix Version/s: Master
    • Component/s: None
    • Labels:
      None

      Description

      Currently there is flawed optimisation logic which is used to identify existing OAuthApplicationScopeAliases records that can be reused rather than creating new ones whenever an OAuth2Application's scope aliases assignment is changed.

      The issue is that we only compare the list of scope aliases for equality (via its hashcode) and not the actual LiferayOAuth2Scopes that these scope aliases would resolve to.

      Combined with the fact that we stored what LiferayOAuth2Scopes (OAuth2ScopeGrant) those scope aliases resolved to at the time of the record creation, new LiferayOAuth2Scopes from new modules are not picked up unless the OAuth2Application's assigned scope aliases are changed (so the hashcode differs).

      There is also a risk of TOCTOU.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                Master