oAuth2 and state param doesnt always get reutrned

[Scott]

Hi,

I'm just starting to upgrade from the old api, but unfortunately have hit a blocker at the oAuth stage.

When sending a user off to https://api.assembla.com/authorization to allow the given user to approve access, it is also be possible to send the state param along with the (code and client_id) and this should then be returned to the client along with the authorization code when redirecting back to the client. (If it helps, heres part of the oAuth spec that outlines it http://tools.ietf.org/html/rfc6749#section-4.1.1 )

There is one instance where this does not work correctly with Assembla:

- If the user has already granted access to the application, the situation with state being returned works fine.

- However if the user is new to the requesting application and is therefore shown the "application is requiring your resource access." page, when the user clicks on 'Allow' and is returned to the client, the state param is not returned with them.

Would you be able to look into this and see if its possible to have this param returned in the second instance too?

Thanks,
Scott

[Stanislav Kolotinskiy]

Hi Scott,

unfortunately, we didn't implement yet this part of the oAuth spec. We
will most likely implement that at some point in the future, but I can't
give you any ETA. I'm sorry for the inconvenience.

Regards,
Stanislav

> --
> You received this message because you are subscribed to the Google
> Groups "Assembla API Development" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to assembla-api-d...@googlegroups.com.
> To post to this group, send email to
> assembla...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[Scott]

Thanks for your prompt reply.

The problem that I have is that all users of my software have a subdomain, and I need to redirect them back to their correct account and save the details in the correct account after the redirect. Is there anything that you can suggest to help out with this?

If not, are you able to provide further details on how long the old api will exist within your hosted version? (I have lots of assembla users who make use of this integration and need to make sure that it does continue to work for them)

Thanks,
Scott

[Stanislav Kolotinskiy]

Well, unfortunately, I can't provide you with any workaround for this.
Anyway, we will implement state before completely getting rid of the old
API, so you can still use it. We will let you know when state
implementation gets into production so that you are able to switch to
the new API.

Regards,
Stanislav

[Scott]

Oh, that's cool,
thanks for confirming that.

[Scott]

Hi

Would you be able to provide an update on this please?

Thanks
Scott

[Stanislav Kolotinskiy]

Hi Scott,

there are still no updates here, sorry. I will talk to my bosses and will let you know about the decision.

Regards,

Stanislav

For more options, visit https://groups.google.com/d/optout.

[Scott]

Thanks for the quick update and for following it up.

We are in the process of choosing tools to receive additional features for current integrations as outlined at https://blog.testlodge.com/new-release-issue-tracker-integration/ and we would like to add this additional functionality to Assembla, but we do need this update first before we can move across to the new API.

Scott

[Stanislav Kolotinskiy]

Hi Scott,

we just checked it on our servers and we actually realized that it works without any changes to the codebase. Can you please check and confirm?

Regards,

Stanislav

[Scott]

Hi Stanislav

That's great news, thanks for the update.

I will schedule some time over the next week to test this out and let you know how I get on.

Thanks
Scott

[Scott]

Hi Stanislav

We've just looked into this, but we are still not seeing the state param being passed back, here's the details of the urls that we are seeing.


We firstly send the user over to the following url:

https://api.assembla.com/authorization?client_id=<public_key>&response_type=code&state=testlodge


When a user clicks 'Allow' they are then re-directed to the following url:

http://localhost.com:3000/im/assemblas?code=<Code here>

Which is where the state param is missing.


Would you be able to take another look at this please?

Thanks
Scott

[Stanislav Kolotinskiy]

Hi Scott,

meh, you are right - my test scenario was partially wrong, since I was testing on an app that I already allowed. So your scenario makes sense. We will fix that and I will ping you back when we’re good to go.

Regards,

Stanislav

[Stanislav Kolotinskiy]

Hi Scott,

we just deployed a patch that should fix this issue. Can you please recheck?

Regards,

Stanislav

[Scott]

Hi Stanislav

Big thank you for looking into this.

I can confirm that this is now working as expected, so thank-you for your help. We will now schedule some time and refresh / improve our integration with Assembla which I’m sure will make many users happy who are using it.

Just one final question. The access token shows that by default it is valid for 899 seconds (So about 15 minutes). Is there any param we can pass over to extend the expiry time? (No problem if not)

Thanks
Scott

[Stanislav Kolotinskiy]

Unfortunately no - you’ll have to use refresh tokens for getting new ones.

Regards,

Stanislav

[Scott]

Hi

We are noticing an issue that the state param doesn't always get returned.

We've been testing this over a few days and have found it happens when the user is logged in to Assembla but has not used the tool for a while, the param does not get passed back. If you go back and then try the process again, it then does work.

Is there a different process (maybe logging in from a cookie) which is causing the issues on the first attempt?

Thanks
Scott

[Stanislav Kolotinskiy]

Hi Scott,

can you please tell me some timestamp when this happened? I want to check logs, and I need some reference.

Regards,

Stanislav

[Scott]

Hi

I've just been able to replicate the issue just now. 11:20 GMT

The first time I tried to use the auth, assembla sent me back without the state param
I then went and tried again and it worked perfectly.

Always seems to fail on the first attempt after I've not used assembla for a while.

Scott

To unsubscribe from this group and stop receiving emails from it, send an email to assembla-api-dev+unsub...@googlegroups.com.

[Stanislav Kolotinskiy]

Just wondering if you’re redirected to login page

Regards,

Stanislav

[Scott]

No, it just sent me immediately back to the return path. (the application would have already been allowed if that makes any difference.)

Scott

To unsubscribe from this group and stop receiving emails from it, send an email to assembla-api-dev+unsubscribe...@googlegroups.com.

To post to this group, send email to assembla...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.