Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google example doesn't work - Scope has changed #387

Open
messa opened this issue Sep 18, 2019 · 3 comments
Open

Google example doesn't work - Scope has changed #387

messa opened this issue Sep 18, 2019 · 3 comments

Comments

@messa
Copy link
Contributor

messa commented Sep 18, 2019

When I follow the Google example:

>>> google.fetch_token(token_url, client_secret=client_secret,authorization_response=redirect_response)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/messa/code/gh/ow2/hub/venv/lib/python3.7/site-packages/requests_oauthlib/oauth2_session.py", line 307, in fetch_token
    self._client.parse_request_body_response(r.text, scope=self.scope)
  File "/Users/messa/code/gh/ow2/hub/venv/lib/python3.7/site-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 421, in parse_request_body_response
    self.token = parse_token_response(body, scope=scope)
  File "/Users/messa/code/gh/ow2/hub/venv/lib/python3.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 431, in parse_token_response
    validate_token_parameters(params)
  File "/Users/messa/code/gh/ow2/hub/venv/lib/python3.7/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 461, in validate_token_parameters
    raise w
Warning: Scope has changed from "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile" to "openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile".

Apparently Google adds an openid scope even if I haven't asked for it, and the oauthlib code is too strict when comparing the new received scope with the old requested one.

I see three possible solutions:

  1. just add openid to list of scopes - it does work then 🎉
  2. supress raising this error from oauthlib by setting env variable OAUTHLIB_RELAX_TOKEN_SCOPE (see here)
  3. change oauthlib behavior so it doesn't raise an error when a scope was added, only when it was removed...

What do you think?
@lepture
Copy link

lepture commented Sep 18, 2019

If using openid, the scope can be as short as openid email profile. See https://github.com/authlib/loginpass/blob/master/loginpass/google.py#L38

@shurshilov
Copy link

I get this error when use
SCOPES = ["https://www.googleapis.com/auth/drive", "https://www.googleapis.com/auth/drive.file"]
just change to work for me
SCOPES = ["openid","https://www.googleapis.com/auth/drive", "https://www.googleapis.com/auth/drive.file"]

@cmin764
Copy link

cmin764 commented Nov 23, 2022

Here's one with Microsoft Office365 Exchange:

Warning: Scope has changed from "offline_access https://outlook.office365.com/.default" to "https://outlook.office365.com/EWS.AccessAsUser.All https://outlook.office365.com/.default".

And if you provide the scope exactly as provided by the server, you get:
Screenshot 2022-11-23 at 16 11 17

So is this a library issue or a server one?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@messa @lepture @cmin764 @shurshilov