Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Temporarily locking oauth2-client to 2.7.0 due to upstream bug with refresh tokens #10

Closed
jamesmacwhite opened this issue Dec 27, 2024 · 4 comments
Closed

Temporarily locking oauth2-client to 2.7.0 due to upstream bug with refresh tokens #10

jamesmacwhite opened this issue Dec 27, 2024 · 4 comments

Comments

@jamesmacwhite
Copy link

Describe the bug

Due to the upstream issue: thephpleague/oauth2-client#1052 in the 2.8.0 release for refresh tokens, which seems to have a bigger impact on Google OAuth than anything, I'm wondering if it is worth considering locking the package version to 2.7.0 temporarily?

At the moment OAuth and refresh token scopes are potentially broken which could lead to some interesting issues as I discovered. While there is an open PR to "fix" the issue, it sounds like there's not a clear decision on the agreed solution.

To prevent Auth shipping broken OAuth client behaviour, it might be worth locking the oauth2-client package dependency temporarily?

Steps to reproduce

N/A. Upstream composer dependency bug.

Craft CMS version

5.5.7

Plugin version

2.0.18

Multi-site?

No

Additional context

No response
@tomdavies
Copy link

I've also hit the same issue after a recent composer update (👋 hi @jamesmacwhite)

Adding "league/oauth2-client": "2.7.0" to my composer.json fixed the issue for me, and seems to be the sensible thing to do until thephpleague/oauth2-client#1053 is merged upstream

@jamesmacwhite
Copy link
Author

@tomdavies Hi!

Yes that's what I've also done, the 2.8.0 release was 11 December, so it's been in the wild for a bit of time and has caused some issues. The Auth module is leveraged by Consume, possibly Formie and others, so I think it might be the safest if Auth potentially enforced this to stop Verbb plugins being broken.

Alternatively setting in your project's composer is a good idea too, as it will cover any other plugins that may be using thephpleague/oauth2-client.

Either way, hopefully this helps others not smack their head against the wall for a while failing to see how a valid OAuth token became invalid on a refresh. The upstream change is a bit brutal it basically nukes any custom scopes set on refresh, which can have rather bad consequences as discovered!

@engram-design
Copy link
Member

Appreciate the investigation on this one, updated in 2.0.19

@jamesmacwhite
Copy link
Author

Thanks @engram-design. I am keeping an eye on the upstream repository for updates, in the mean time this should help anyone using the Auth module either directly or indirectly, and ensure downstream Consume is protected from it as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tomdavies @engram-design @jamesmacwhite