These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Technology Lab

 
  • Topic is locked indefinitely.
 

ESI - Scope Questions

First post
Author
Previous Topic Next Topic
Kelath Erebus
Federal Navy Academy
Gallente Federation
#1 - 2017-03-17 16:09:22 UTC
Hoping someone might have answers to these questions, they are all related, I just broke them down for clarity:

1) Can you ask for additional scope rights? For instance, say Star Lord goes to your website/app and is redirected to SSO, however you don't ask for any scope rights at that point, you just want to let Star Lord enter your website. Then Star Lord goes to a tab to show inventory, can you then somehow prompt Star Lord to give asset scope rights?

2) If yes to #1, would you do that by just creating another SSO link but with the specific scope requested, then redirect them back to the inventory page?

3) If yes to #2, do these scopes stack? Meaning, if Star Lord goes from inventory which he granted access, then to industry jobs for instance and grants that, does the site now have access to both assets and industry jobs, or does one override the other since he was redirected to SSO and selected a different scope?

I thought with CREST and from what I've seen with FleetUp that this seemed possible, I just want to know if anyone has had experience with the above with ESI and if it is possible with ESI.

Thanks in advance!
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#2 - 2017-03-17 19:04:05 UTC
1) The only way to get additional scopes is to get the user to auth again, and get you a new token. (It should remember them, so it should just be a 3 clicks or so)

2) yes

3) no. Each token has a specific set of scopes. once it's created, it can't be changed.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Blacksmoke16
Resilience.
#3 - 2017-03-17 19:44:36 UTC
Also should be noted if you have a refresh token for a set of scopes. You then auth and add more scopes; if you do not update to the new refresh token it will only generate a token for the old set of scopes. Took a while to figure this out :P
Kelath Erebus
Federal Navy Academy
Gallente Federation
#4 - 2017-03-17 22:40:27 UTC
Quote:
3) no. Each token has a specific set of scopes. once it's created, it can't be changed.


So if Star Lord first approves a token for a scope regarding Inventory. Then Star Lord approves a token for a scope regarding Industry Jobs. Can I utilize both tokens separately, or does ESI kill off (invalidate on its side) the older token in favor of the new token?

I ask because I just think it would be annoying to constantly have to have the site visitor create a new token depending on what feature they want to use, if only one token is allowed per site/app per character at any given time then it would make more sense to ask for all scopes up front whether the user intends to use certain features of the site/app or not.

Thanks again for responded, I do appreciate it!

Quote:
Also should be noted if you have a refresh token for a set of scopes. You then auth and add more scopes; if you do not update to the new refresh token it will only generate a token for the old set of scopes. Took a while to figure this out :P


Good to know!
Blacksmoke16
Resilience.
#5 - 2017-03-17 22:50:21 UTC  |  Edited by: Blacksmoke16
I don't think you get how it works. Star Lord would have to login with the assets scope and auth that. Then if later on he wants industry jobs (no esi endpoint for that yet i think) he would have to login with BOTH the industry jobs AND assets scopes.

i.e. He should just login with ALL the scopes he needs for the features he needs.

The way I handle it is have my app set with all the scopes that it needs. Then, i have a set of checkboxes like:

'Do you want to allow the app to read your assets?'
'Do you want to allow the app to read your wallet?'
etc

Then when they hit login it will auth the scopes they requested, using a url that is built based on what checkboxes are checked. I also use this as a check, so people can't access certain pages w/o certain scopes.

Yes asking for all the scopes up front makes it easier but also less secure. Like people might not want to login to your app if they only want to say read mail when you are asking for read mail, wallet, assets, open windows etc.
Kelath Erebus
Federal Navy Academy
Gallente Federation
#6 - 2017-03-17 23:35:10 UTC
Quote:
I don't think you get how it works. Star Lord would have to login with the assets scope and auth that. Then if later on he wants industry jobs (no esi endpoint for that yet i think) he would have to login with BOTH the industry jobs AND assets scopes.


Thanks for the clarification that's what I was after. So Star Lord can only have one active token in the database that is used to connect with ESI and that token would include all the relevant scopes.

Quote:
Yes asking for all the scopes up front makes it easier but also less secure. Like people might not want to login to your app if they only want to say read mail when you are asking for read mail, wallet, assets, open windows etc.


I agree.

Quote:
The way I handle it is have my app set with all the scopes that it needs. Then, i have a set of checkboxes


That's a good way to handle it, then you can track what's selected on your end to restrict access or pre-check the boxes if they want to adjust the access by going through the SSO process again with the new scopes.

Thanks for the input!
Blacksmoke16
Resilience.
#7 - 2017-03-17 23:57:48 UTC
NP.

Well i mean he ~could~ have more than 1 but I don't think that would be the best way to do it.

I just have a row for each user, with a token/refreshToken column etc. I store the list of scopes they logged in with, if they login again with a scope that isn't in that list, or a scope is missing from the list, then it gets a new refresh token and access token and updates their details.