OAuth Access and Permissions during Authorization

mattwright

I ran into an issue when switching my app over to use oAuth authentication. At first I didn't realize that you had to specify an ?Access= parameter of Full, so my application authorized under Public access to my account. Later, when attempting to re-authorize with Access=Full, SmugMug instead just bypassed that and used the existing authorization in my account. So regardless of visiting the authorize.mg URL with ?Access=Full, it just defaulted to the Public permission I had already approved and skipped the authorization screen to confirm what permissions I wanted to grant.

Instead, it seems like if the authorize URL is accessed with stricter parameters (such as Full access or Write permissions) that it was not previously granted, it should again prompt the user rather than falling back to authorizing the token, but without the access level requested.

Once I revoked the authorization from my SmugMug control panel and tried again, it worked to grant me full access. Let me know if this isn't clear or I was just doing it wrong. Thanks,

Matt

devbobo

Hey Matt,

We have done this intentionally, as a user can specifically limited access that a given app has regardless of what the app has requested. Therefore, if an app is reauthorizated the previous permission are honoured.

Hope this makes sense.

David

mattwright

devbobo wrote: »

Hope this makes sense.

OK, that does make sense. Maybe a note about it somewhere in the OAuth API docs would help. I guess the solution is to check the permissions returned on the access token and alert the user if they don't match what I expected. I just got caught up in it for a while not knowing why I couldn't see my own password protected galleries and then wondering why the access token had Public permissions on it when I had requested Full. Wasn't sure if I was requesting it right, until I thought to check the control panel.

Matt