+3

atproto/auth/oauth/doc.go

reviewed

··· 87 87 _ = sessData.AccountDID 88 88 _ = sessData.SessionID 89 89 90 90 + // the returned scopes might not include all of those requested 91 91 + _ = sessData.Scopes 92 92 + 90 93 http.Redirect(w, r, "/app", http.StatusFound) 91 94 } 92 95

+1 -5

atproto/auth/oauth/oauth.go

reviewed

··· 635 635 } 636 636 } 637 637 638 638 - // TODO: could be flexible instead of considering this a hard failure? 639 639 - if tokenResp.Scope != info.Scope { 640 640 - return nil, fmt.Errorf("token scope didn't match original request") 641 641 - } 642 642 - 643 638 sessData := ClientSessionData{ 644 639 AccountDID: accountDID, 645 640 SessionID: info.State, 641 641 + Scopes: strings.Split(tokenResp.Scope, " "), 646 642 HostURL: hostURL, 647 643 AuthServerURL: info.AuthServerURL, 648 644 AccessToken: tokenResp.AccessToken,

+3

atproto/auth/oauth/session.go

reviewed

··· 39 39 // Full token endpoint 40 40 AuthServerTokenEndpoint string `json:"authserver_token_endpoint"` 41 41 42 42 + // The set of scopes approved for this session (returned in the initial token request) 43 43 + Scopes []string `json:"scopes"` 44 44 + 42 45 // Token which can be used directly against host ("resource server", eg PDS) 43 46 AccessToken string `json:"access_token"` 44 47