Merge pull request #745 from Mashape/fix/oauth2-scopes

OAuth 2.0 scopes are now properly parsed
Kong · Nov 25, 2015 · da0abb4 · da0abb4
2 parents 4281bdc + b7b65f2
commit da0abb4
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 3 deletions.
diff --git a/kong/plugins/oauth2/access.lua b/kong/plugins/oauth2/access.lua
@@ -92,7 +92,7 @@ local function retrieve_scopes(parameters, conf)
   local scope = parameters[SCOPE]
   local scopes = {}
   if conf.scopes and scope then
-    for v in scope:gmatch("%w+") do
+    for v in scope:gmatch("%S+") do
       if not utils.table_contains(conf.scopes, v) then
         return false, {[ERROR] = "invalid_scope", error_description = "\""..v.."\" is an invalid "..SCOPE}
       else
@@ -323,7 +323,7 @@ local function parse_access_token(conf)
     local authorization = ngx.req.get_headers()["authorization"]
     if authorization then
       local parts = {}
-      for v in authorization:gmatch("%w+") do -- Split by space
+      for v in authorization:gmatch("%S+") do -- Split by space
         table.insert(parts, v)
       end
       if #parts == 2 and (parts[1]:lower() == "token" or parts[1]:lower() == "bearer") then

diff --git a/spec/plugins/oauth2/access_spec.lua b/spec/plugins/oauth2/access_spec.lua
@@ -50,7 +50,7 @@ describe("Authentication Plugin", function()
         { username = "auth_tests_consumer" }
       },
       plugin = {
-        { name = "oauth2", config = { scopes = { "email", "profile" }, mandatory_scope = true, provision_key = "provision123", token_expiration = 5, enable_implicit_grant = true }, __api = 1 },
+        { name = "oauth2", config = { scopes = { "email", "profile", "user.email" }, mandatory_scope = true, provision_key = "provision123", token_expiration = 5, enable_implicit_grant = true }, __api = 1 },
         { name = "oauth2", config = { scopes = { "email", "profile" }, mandatory_scope = true, provision_key = "provision123", token_expiration = 5, enable_implicit_grant = true }, __api = 2 },
         { name = "oauth2", config = { scopes = { "email", "profile" }, mandatory_scope = true, provision_key = "provision123", token_expiration = 5, enable_implicit_grant = true, hide_credentials = true }, __api = 3 },
         { name = "oauth2", config = { scopes = { "email", "profile" }, mandatory_scope = true, provision_key = "provision123", token_expiration = 5, enable_client_credentials = true, enable_authorization_code = false }, __api = 4 },
@@ -236,6 +236,26 @@ describe("Authentication Plugin", function()
         assert.are.equal("email", data[1].scope)
       end)
 
+      it("should return success with a dotted scope and store authenticated user properties", function()
+        local response, status = http_client.post(PROXY_SSL_URL.."/oauth2/authorize", { provision_key = "provision123", authenticated_userid = "id123", client_id = "clientid123", scope = "user.email", response_type = "code", state = "hello", authenticated_userid = "userid123" }, {host = "oauth2.com"})
+        local body = cjson.decode(response)
+        assert.are.equal(200, status)
+        assert.are.equal(1, utils.table_size(body))
+        assert.truthy(rex.match(body.redirect_uri, "^http://google\\.com/kong\\?code=[\\w]{32,32}&state=hello$"))
+
+        local matches = rex.gmatch(body.redirect_uri, "^http://google\\.com/kong\\?code=([\\w]{32,32})&state=hello$")
+        local code
+        for line in matches do
+          code = line
+        end
+        local data = dao_factory.oauth2_authorization_codes:find_by_keys({code = code})
+        assert.are.equal(1, #data)
+        assert.are.equal(code, data[1].code)
+
+        assert.are.equal("userid123", data[1].authenticated_userid)
+        assert.are.equal("user.email", data[1].scope)
+      end)
+
     end)
 
     describe("Implicit Grant", function()