Enforcing scopes when accessing a resource

[michalbundyra]

My issue is with line 146 in ZF\MvcAuth\Authentication\DefaultAuthenticationListner
if ($this->oauth2Server->verifyResourceRequest($oauth2request))

The verifyResourceRequest method has a $scope parameter that isn't getting passed to the oauth server in this line so it is assumed that any scope is vaild for this request as $scope defaults to null.

I'm aware that at this point it would be necessary to identify what scope should be required for this request and pass it through to the verifyResourceRequest method so that the token can be checked for this scope.

Is the DefaultAuthenticationListner designed to be overridden so that I can implement functionality to check which scope is required for this request or am I missing something?

---

Originally posted by @CymruKakashi at zfcampus/zf-apigility#33

[michalbundyra]

I've never had luck overriding the DefaultAuthenticationListener .. it seems to just not run anything if I pass no variable for priority.

The limitation I'm seeing is that I cannot use assertions very easily, without modifying the ACL resources to being complex objects..

If you can, in a AuthenticationListener.. preempt the Default and return whatever it is you would normally want the default listener to do..

I'd also like to see a way to detach the default listener entirely, but that's more of a recipe problem.. I am pretty sure it can be done (perhaps in the Bootstrap)

---

Originally posted by @EMCP at zfcampus/zf-apigility#33 (comment)

[michalbundyra]

Not a fix for the issue, but I was able to override the DefaultAuthenticationListener by registering my own factory under the same name in config/autoload/global.php

    'service_manager' => array(
        'factories' => array(
            'ZF\MvcAuth\Authentication\DefaultAuthenticationListener' => 'MyApp\AuthenticationListenerFactory',
        ),
    ),

---

Originally posted by @glennschmidt at zfcampus/zf-apigility#33 (comment)