Scope checking is too strict and causes error when the number of scopes requested is reduced

Question

Scope checking is too strict and causes error when the number of scopes requested is reduced

wobinb opened this issue 4 years ago · 3 comments

Scopes in Xero's OAuth 2.0 implementation are additive.

If the first time a connection is authorised scopes A, B and C are requested, they will always be included.

On a second authorisation for the same user, if only scopes A and B are requested, C will also be returned.

The SDK appears to then do a validation check to verify the scopes returned match the ones requested, and the process fails.

To recreate:

Set the scopes to include payroll.employees and complete the authorisation process for one user.
Remove the payroll.employees and repeat the authorisation process for the same user.
Observe the process fails with a Scope has changed from... error

Answer 1 · 2021-04-26T22:35:11.000Z

Per the docs around scope:

"It's not possible to remove scopes from an existing access token. The only way to reduce consented scopes is to revoke the token and start again."

@wobinb As part of the described steps to replicate above, does the user disconnect from Xero via the connected apps dashboard or does Xero consider the app already authenticated (option is grey and continue with 1 org text present) during the second auth flow?

Answer 2 · 2021-12-24T09:57:10.000Z

@RettBehrens in the replication steps above the app remains connected, so it would essentially be a re-authentication

Seems to still be an issue, see: #73

Answer 3 · 2023-02-17T17:15:40.000Z

The following solution has been identified XeroAPI/xero-python-oauth2-app#47