2.8.0 breaks exiting scope handling

Question

2.8.0 breaks exiting scope handling

MrMooky opened this issue a year ago · 5 comments

Last week's release introduced the following in the getAccessToken() function:

https://github.com/thephpleague/oauth2-client/pull/1030/files#diff-e8490e4bb8acb102745699d2bd7aa0a298d836c92d00d2ed57dd4c7ad8b24282

if (empty($options['scope'])) {
    $options['scope'] = $this->getDefaultScopes();
}

if (is_array($options['scope'])) {
    $separator = $this->getScopeSeparator();
    $options['scope'] = implode($separator, $options['scope']);
}

This broke my existing integration because previously added scopes were lost and I got an API error: ACCESS_TOKEN_SCOPE_INSUFFICIENT.

To "fix" the issue, I had to add the scopes like this while refreshing the token:

$newAccessToken = $this->provider->getAccessToken('refresh_token', [
    'refresh_token' => $existingAccessToken->getRefreshToken(),
    'scope' => ['openid', 'email', 'profile', 'https://www.googleapis.com/auth/drive.file'],
]);

All the default ('openid', 'email', 'profile') scopes, plus the one I already added while calling getAuthorizationUrl(). So to me, 2.8.0 is a breaking change that should have been mentioned.

Answer 1 · 2024-12-21T09:51:16.000Z

Discussion to be continued in #1030 please.

Answer 2 · 2024-12-21T11:04:48.000Z

Can you try if #1053 fixes your issue?

Answer 3 · 2024-12-23T21:59:53.000Z

@barryvdh that fixes the issue

Answer 4 · 2024-12-26T12:08:44.000Z

I have been going crazy chasing this issue with the Google Provider where the scopes requested outside of the default were being lost on refresh token actions.

I have downgraded back to 2.7.0 temporarily to fix this. It would be good to pin this issue because the Google Provider gets broken pretty bad by this currently.

Answer 5 · 2025-02-04T18:40:57.000Z

Thanks a lot for reporting this bug! We just spent 5 hours debugging our app only to find out that this little piece of code was breaking everything. Pinning the dependency to 2.7.0 works perfectly.