I have a web app that has multiple scopes under a single OAuth consumer. I want the user’s Drupal role to be used when logging in.
In simple OAuth, I have created 1 consumer that has 2 scopes: editor_user and regular_user.
I run oauth/token with grant_type=password, this returns a token that covers the authenticated, editor_user and regular_user roles.
When logging in as a user with role regular_user and forcefully setting the scope to editor_user, the user role gets set to editor_user !
This seems highly unsafe. User roles need to be properly enforced on the backend.
I would expect the Drupal backend to correctly check for a user’s roles, and ignore any scopes that do not match. Regardless of whether the consumer itself is allowed access to more scopes than a user.
Is there a way of restricting the token to the user’s role within a scope that can contain multiple?
So, if a regular_user authenticates, but a front-end user manipulates the request, still only the role of regular_user is assigned to him? Not the roles that are defined in the scope?
If I request a list of articles, as a regular user with scope properly set to regular_user, I see the articles (except for a field for which regular users don’t have view permissions, thanks to field_permissions module).
When setting the scope for a regular user to editor_user, I don’t receive any articles. Not sure if this is thanks to a security mechanism or due to a bug.
My reasoning would be that the editor_user scope does not match the user’s assigned roles and hence gets removed. Which leaves an empty scope and … ? gives the same permissions as for anonymous users? Not sure about this.
Anonymous users should see the article list too, though.