Scope creep when requesting Live access using OAuth/REST?
-
2012年3月12日 16:57
I am using the REST API to request access to my users' Hotmail calendar to add events using the "wl.events_create" scope (and nothing else) but the window presented to them lists the following access requests:
- Access your name, gender, display picture, contacts and friends
- Access your photos and videos
- Add events to your hotmail calendar
I could not find any reason why it's asking for the extra unwanted resources from the documentation
Thanks
すべての返信
-
2012年3月12日 22:50Are you that wl.events_create is the only scope your application is asking for? Can you share a code snippet?
Carl Hirschman
-
2012年3月13日 3:10
Thanks for your reply Carl.
I'm not at my desk right now but I should have mentioned that I used to request photo albums and user info scopes from within my app, but not anymore. It's almost like there's some residual scope information lingering somewhere (although I'm 99% sure my code doesn't have anything like that anymore). Is that even possible?
-
2012年3月13日 17:46Can you share a code snippet?
Carl Hirschman
-
2012年3月22日 17:09
Apologies for not replying sooner.
Here's what happened:
- App requests access to scope A and B
- User is prompted to grant access to scope A and B
- User grants access
Some time later:
- Same app requests access to scope C and D
- User is prompted to grant access to scopes A, B, C and D
I can see why scope A and B would not be automatically revoked when asking for scope C and D. I just did not expect that the user would be prompted again for those previously granted scopes.
Solution is for the user to explicitly revoke access to the app (has to be all scopes).
Thanks for getting back to me.
-
2012年3月22日 22:41
Is your app a mobile app? When you request user consent from a mobile app, we will show all scopes including the ones user have previously consented. The reason is because for a mobile app, we don't have a way to validate if the request that comes in is from the app that it claims to be. Some other app could make a request using your app id and get a valid token if user has previously consented to your app. By showing the consent UI with all scopes, we make sure the user understand what they are consenting to.
Thanks.
- 回答としてマーク tbertran 2012年3月22日 22:43
-
2012年3月22日 22:43Yes, it is a mobile app.
