Skip to content

/ oauthlib

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change validate_user/validate_grant_type order for Resource Owner Password Grant #643

Open
JonathanHuot opened this issue Jan 8, 2019 · 0 comments
Open

Change validate_user/validate_grant_type order for Resource Owner Password Grant #643

JonathanHuot opened this issue Jan 8, 2019 · 0 comments
Labels
Breaking Bug OAuth2-Provider
Milestone
4.0.0

Comments

@JonathanHuot
Copy link
Member

@JonathanHuot JonathanHuot commented Jan 8, 2019

The flows shown in the dot graph (see #642 (comment)) uncovered an issue in the order of the calls.

Resource Owner Password Grant

validate_grant_type is called AFTER validate_user, which can lead to unexpected behavior depending of the validate_user implementation (e.g. create a session on the idP side but should be forbidden). For the other flows, validate_grant_type is correctly called BEFORE.

image

Since it changes the request validator calling order, it is considered as a breaking change.
@JonathanHuot JonathanHuot added this to the 4.0.0 milestone Jan 8, 2019
JonathanHuot added a commit that referenced this issue Jan 8, 2019
@JonathanHuot
Fix #643 by changing orer of validate_user/grant_type for ROPG
Loading status checks…
e5c1d8e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Breaking Bug OAuth2-Provider
Projects
None yet
Milestone
4.0.0
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
@JonathanHuot
You can’t perform that action at this time.