Giving the ScopeRepository a reference to the AuthCode during AuthCode grant.

[Shkeats]

It would be useful if the ScopeRepositoryInterface finalizeScopes() method took a nullable param of $authCodeIdentifier so that we can use contextual information stored on the authCode object to make decisions about which scopes a user can get. The AuthCode Grant could pass in it $authCodePayload->auth_code_id to this.

In my case this would be helpful as I need to persist some information about the state of the users session at the auth server when the auth code is issued and use this to determine if they get a certain scope when their token is issued. Obviously as the auth_code->access_token exchange is server to server the user's session is no longer present at the point the scopes are determined. The AuthCode object seems a natural place to persist this.

Let me know your thoughts or if I'm missing an obvious solution to my problem.

[alexbilbie]

I believe the finalizeScopes does what you require?

[Shkeats]

@alexbilbie as far as I can tell there's currently no way to get a reference to the authcode inside finalize scopes?

[alexbilbie]

finalizeScopes tells you the user ID, the scopes that were requested, the client and the grant type - what additional information do you need to make a decision?

[Shkeats]

@alexbilbie It would be useful to have the AuthCode's id to access information persisted alongside the AuthCode when the user was present.

In my case, these are details about the state of the user's session at the point in time the AuthCode was made. This factors into the decision about which scopes can be requested.

Currently what I'm doing is using the user_id, client_id and scopes to grab the newest auth code that matches those criteria from the table, but this isn't always guaranteed to be the same one.

[alexbilbie]

Okay; this will have to wait until V6 as it will require an interface change 👍

[Shkeats]

On a related note I think it would also be helpful to give the access token repository a reference to the auth code so that we can persist the relationship between the two without needing to create a custom Grant type.

[Richard87]

@alexbilbie Sorry for bringing this upp, 4! years later...

I have a similar problem, I need to know the security level the user authenticated with (username/password, username/password+otp or high-security external oidc-provider).

This information is available when authorizing the user, and stored in the AuthCode, but it's not available when I produce the AccessToken or the IdToken. I don't care if the security level is stored in the jwt, or in the entity/database, but I need the information when authorizing a request using the provided access-token (or IdToken)

[Richard87]

Is this something you would accept a pull-request to fix?

Edit

I guess the easiset way would be to add the AuthCode to AccessTokenRepositoryInterface::getNewToken() and to AbstractGrant::issueAccessToken()

[Sephster]

@Richard87 I would definitely accept a PR for this issue as it should be straight forward. As @Shkeats suggested, we just need a nullable reference to the auth code ID.

This is an interface change though so wouldn't be released until the next major version and would need to be created on the v9 branch. Cheers