Dynamic scope request in setup phase fails scope tampering check
mksm opened this issue · 3 comments
I'm trying to set the requested scopes from the GET request params. The following was working with 1.1.8, perhaps because scope tampering check was introduced in a later version.
Rails.application.config.middleware.use OmniAuth::Builder do
provider :shopify,
ShopifyApp.configuration.api_key,
ShopifyApp.configuration.secret,
setup: lambda { |env|
request = Rack::Request.new(env)
env['omniauth.strategy'].options[:scope] = request.GET['scope']
env['omniauth.strategy'].options[:client_options][:site] = "https://#{request.GET['shop']}"
}I'm running 1.1.17 and this now gives an error:
OmniAuth::Strategies::OAuth2::CallbackError at /auth/shopify/callback
invalid_scope | Scope does not match, it may have been tampered with.
This is similar to #49 and proposed solutions (#49 (comment)) do not work. The validate_granted_scopes value is not being checked before running the scope validation.
Shopify doesn't send back the scopes granted so I wonder how they are being checked against the ones that were requested.
You'll need to make sure env['omniauth.strategy'].options[:scope] is the same in both the authorize and the callback phase of oauth. My suggestion is to store the scope in the user's session, which should be accessible like this from the setup lambda:
strategy = env['omniauth.strategy']
session = strategy.session.with_indifferent_access
env['omniauth.strategy'].options[:scope] = session['shopify.oauth.scope']
To make that work, from your app, simply assign session['shopify.oauth.scope'] to the correct value before redirecting to /auth/shopify.
Hope this works for you, let me know if this solves your problem.
Stored scope in user's session and used that to set env['omniauth.strategy'].options[:scope].
Still had to set site since the setup lambda replaces the default one. Besides that, problem solved. Thanks for the help. We can close this.
No worries.