Auth scopes returned do not match requested scopes
Whilst building my API Wrapper I have spotted an issue.
I thought I would be clever and store the scope response from the auth process so I can compare and re-authenticate if the scope is changed
What I have found is the auth response with the id_token and access_token refresh_token also has the scope
However I see that the scope list returned does not match the requested scope list
e.g.
I requested
"offline_access openid profile email files accounting.transactions accounting.settings accounting.contacts accounting.attachments assets projects"
but got back
"openid profile email files accounting.transactions accounting.settings accounting.contacts accounting.attachments assets projects offline_access accounting.reports.read accounting.journals.read accounting.settings.read"
Different order and extra .read entries.
I thought I would be clever and store the scope response from the auth process so I can compare and re-authenticate if the scope is changed
What I have found is the auth response with the id_token and access_token refresh_token also has the scope
However I see that the scope list returned does not match the requested scope list
e.g.
I requested
"offline_access openid profile email files accounting.transactions accounting.settings accounting.contacts accounting.attachments assets projects"
but got back
"openid profile email files accounting.transactions accounting.settings accounting.contacts accounting.attachments assets projects offline_access accounting.reports.read accounting.journals.read accounting.settings.read"
Different order and extra .read entries.
4
Replies
Hi Darren,
Is it possible you'd already authenticated that user previously with a different set of scopes? Xero API scopes are additive, so you'll always get the combined set of scopes from all previous authentications for that user - as described here:
https://developer.xero.com/documentation/oauth2/scopes
Hope that helps - cheers,
Russell
Is it possible you'd already authenticated that user previously with a different set of scopes? Xero API scopes are additive, so you'll always get the combined set of scopes from all previous authentications for that user - as described here:
https://developer.xero.com/documentation/oauth2/scopes
Hope that helps - cheers,
Russell
That is possible, however I thought a re-authentication would reset this?
The only way to 'remove' a scope is to completely revoke the token set.
If you were to re-authenticate after a full revocation, you would reset what scopes the user had authorized. * Also note that revoking a whole token is different than deleting a connection.
See Revoking tokens
You can revoke a user's refresh token and remove all their connections to your app by making a request to the revocation endpoint.
https://developer.xero.com/documentation/oauth2/auth-flow
If you were to re-authenticate after a full revocation, you would reset what scopes the user had authorized. * Also note that revoking a whole token is different than deleting a connection.
See Revoking tokens
You can revoke a user's refresh token and remove all their connections to your app by making a request to the revocation endpoint.
https://developer.xero.com/documentation/oauth2/auth-flow
I will look into adding the Revoke step and see what happens
Thanks
Thanks