2

I am working with Authlib version 0.7. I am trying to give a client access to multiple scopes, the way I do that is on client creation I pass a string delimited by spaces as the scope (for eg 'A B'). When I generate an access token for this client, it's scope is set to 'A B'. However, when I try to access a resource protected by scope 'A' (to protect resource I have added @require_oauth('A')), I am denied access and get an http 403 error. Would appreciate any suggestions that might help me fix this. Thanks

davidism
  • 121,510
  • 29
  • 395
  • 339
pranav jain
  • 31
  • 1
  • 5
  • update: after some debugging I found out that the scope of the token is being set to 'B' and not 'A B'. I thought that by default the access tokens take the same scope as their client. Need to figure out why the scope is being chopped off – pranav jain Jun 27 '18 at 22:51

1 Answers1

1

Checkout the documentation on multiple scopes:

https://docs.authlib.org/en/latest/flask/2/resource-server.html#multiple-scopes

You can apply multiple scopes to one endpoint in AND and OR modes. The default is AND mode.

@app.route('/profile')
@require_oauth('profile email', 'AND')
def user_profile():
    user = current_token.user
    return jsonify(user)
lepture
  • 2,307
  • 16
  • 18