Previously authorized 3rd party apps still require reauthorization

i’m not sure if there’s been an intentional change lately to the system related to authorization flows, but it seems like something has changed.

i have a couple of single-page web applications that i made back in the day that utilize the PCKE authorization flow:

• just displays the logged-in iNat user id as a proof-of-concept for the PCKE flow: https://jumear.github.io/stirfry/iNat_PKCE_flow_example.html
• displays activity related to comments and identifications on observations: https://jumear.github.io/stirfry/iNat_observations_updates.html

it used to be that once i had initially authorized these apps for use with my account, i would be able to use the apps without going through the iNat authorization screen again in the future (unless i revoked the authorization in my account settings).

but now, i’m having to reconfirm on the iNat authorization screen every time i use the apps. i’m not sure when the problem began since i don’t use these apps often, but i think it must have been a recent change (in the last few months).

…

here’s a screenshot that shows that i’ve already authorized these apps (the dates reflect today because i had to reconfirm earlier):

image824×407 27.5 KB

i’m going to use my first app (https://jumear.github.io/stirfry/iNat_PKCE_flow_example.html), and when i click on the link on that page to trigger the connection to iNat, i get redirected to the iNat authorization page:

image1149×444 41 KB

if i Authorize, i get directed back to my app, and it displays my iNat user ID.

but then if i close the page, reopen it, and then click the link that should trigger my iNat user ID to be retrieved and displayed, i get redirected again to the above iNat authorization screen.

is this the new normal? did something change that i need to account for in the applications now so that i don’t have to always go through the iNat authorization screen?

I’ll ask.

As far as I can tell nothing has changed and this is the way OAuth is supposed to work: the client asks for an authorization code, and if the resource owner grants permission, the server delivers the authorization code to the client which the client then uses to request an access token, but that code must only be used once, so the grant is revoked immediately after the code gets used. Here’s what the spec says:

The client MUST NOT use the authorization code more than once. If an
authorization code is used more than once, the authorization server MUST deny
the request and SHOULD revoke (when possible) all tokens previously issued
based on that authorization code.

We use software called Doorkeeper to manage OAuth interaction, and this is the line where the access grant gets revoked (hasn’t changed in 8 years).

FWIW, I think the intent here is to support apps that have some state and can hold on to access and refresh tokens. For applications like yours where (I think) you’re not storing the access token, the user will need to grant access every time you want to get a new access token.

hmmm… just based on how i remember iNat’s PKCE flow working, i thought that for each authorization request, the system was just referring back to the user’s original authorization decision, if it existed, rather than asking the user to authorize every time. (after all, you do keep a record of which 3rd party apps each user has previously authorized.)

i suppose it’s possible that i am misremembering that process, but i even wrote in the instructions of one of my apps that iNat would only ask the user for an authorization decision the first time (unless they subsequently revoked authorization).

i guess when i have some time, i’ll have to go through the code to see where the authorization decision screen is getting called and whether there might be / have been some alternate path that gets the previous decision from what has been previously recorded…

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.