Skip to content

fix: update session grants in the auth code token endpoint handler #848

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

fix: update session grants in the auth code token endpoint handler #848

wants to merge 1 commit into from

Conversation

tilgovi
Copy link

@tilgovi tilgovi commented Apr 9, 2025

Callers may wish to see the granted scope and audience of a auth code flow updated by the token endpoint handler, before responding to the token request. Move calls to set the granted scope and audience from AuthorizeExplicitGrantHandler.PopulateTokenEndpointResponse to the AuthorizeExplicitGrantHandler.HandleTokenEndpointRequest method.

Fix ory/hydra#3969.

Related Issue or Design Document

Checklist

  • I have read the contributing guidelines and signed the CLA.
  • I have referenced an issue containing the design document if my change introduces a new feature.
  • I have read the security policy.
  • I confirm that this pull request does not address a security vulnerability.
    If this pull request addresses a security vulnerability,
    I confirm that I got approval (please contact security@ory.sh) from the maintainers to push the changes.
  • I have added tests that prove my fix is effective or that my feature works.
  • I have added the necessary documentation within the code base (if appropriate).

Further comments

@tilgovi
fix: update session grants in the auth code token endpoint handler
def05ea 
Callers may wish to see the granted scope and audience of a auth code
flow updated by the token endpoint handler, before responding to the
token request. Move calls to set the granted scope and audience from
`AuthorizeExplicitGrantHandler.PopulateTokenEndpointResponse` to the
`AuthorizeExplicitGrantHandler.HandleTokenEndpointRequest` method.

Fix [ory/hydra#3969](ory/hydra#3969).
@tilgovi tilgovi mentioned this pull request Apr 9, 2025
Draft
7 tasks
aeneasr
aeneasr requested changes Apr 14, 2025
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This essentially breaks all contracts on PopulateTokenEndpointResponse which used to set the granted audiences and codes and no longer does. It's a sensitive part in fosite so we should only change this for good reason.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

oauth2 webhook: granted_scopes always empty for authorization_code
2 participants
@tilgovi @aeneasr