EveSSO url and standard limit to urls

ok, i have confused people by using login.

I am doing exactly what you are saying Steve. They are logging on my site via evesso with no scopes.
HOWEVER, they are registering their chars using esi, which requires an access token. I store the refresh token so I don’t have to get the user to log in again. But this is where the issue is.

My platform does EVERYTHING. Literally. So, for my services to continue I need ALL char scopes for a token.

Again, remember i am not making something new. i am updating my existing platform to use esi. Right now you can log into my site and do about anything. Look at ALL your assets across ALL chars. Aka, search all chars for that module you know you looted. Look at emails, track indy jobs, contracts wallet track, emaisl EVERYTHING.

It does the same for corp stuff. Monitors all structures, timers, fuel, assets, contracts etc. Think of a system like Yapeal, but custom made. That’s whats running now. Also, all permissions for external services are also synced. A cron job constantly checks titles and roles of members and adds them to groups within my platform. Any change in someone’s permissions triggers and even to update services. So, if you are made director, within 5 mins you are in the correct channels in discord, have to correct rights, can see and use the right forums etc.

in order for this to coninue, so you can log in as a char or director and use all these tools without re-registering tokens over and over for different services i need to requests all char scopes per char and char + corp scopes for the ceo.

This makes a url longer than 2048, making anyone not using chrome or edge unable register a token at all…

Now i am sure at some point someone is going to say, don do so much then. But thats the thing. I am already doing them all…now. Upgrading to esi is giving me nothing i need, but it might make me drop services or force people to use chrome. Bottom dollar, Ace Auth worked as described doing everything you might want to do in xml. I love the idea of esi, but, it is going to break everything i have made in 5 years or i force everyone to use chrome. and this really didn’t need to happen. If CCP rolled up scopes a bit, there doesn’t need to be 178 of them. If they also made them shorter, so they are not esi-chars. some_scope_that_is_really_long.v1 ,

If they did those 2 things, we would never hit the 2048 limit

It’s something which is being discussed (the meta scope bit. Or at least some kind of aliasing).

Now, the actual scopes are what would be granted in this instance. You would never gain access to a new endpoint, with an old token. That’s explicitly not going to happen. It’d be an alias at grant time only, to keep url size down.

I don’t want to get too involved in this. I’m sure people already have their ideas, but if it’s of any help then perhaps have a resource at the ESI server where one can post a list of scopes and gets returned a bit field representation of these scopes. When you use 256 bits for example, where each set bit represents a scope you need, then you’d still only need a 43 character string to represent the entire 256 bits or rather 256 scopes (that’s including a base64 encoding). This would be a whole lot shorter than concatenating every single scope onto one another where you only end up with 3000+ character URLs.

If you have 178 scopes you’re requesting, you’re doing something wrong. There are 71 ESI scopes in all. Of those, 58 are read only scopes, the rest being write scopes in some fashion. On top of that, out of those 71 scopes, 24 of them are corporate scopes, thus irrelevant to anyone in your corp that doesnt have roles pertaining to those scopes. I dont see why you’d need to ask a user if you can send mail, tamper with their contacts list or fittings, or many other of the various write endpoints either. Unless you’re writing tools for people to act on those things out of game perhaps.

Just to add on to what @Krysenth said, if, as you are saying, you are replacing an existing tool that was using XML you’re not going to need any of the write scopes since you didn’t have any of those using XML anyways.

The bottom line is that you are massively misusing the whole SSO / scope concept. I realize that replacing existing XML API apps is hard, but calling the system broken because of that is just plain wrong. Yes, it requires some pretty substantial changes, but most of those are necessary specifically because of things that were broken by design in XML.

Just to clarify, I’m not saying adding some sort of scope grouping wouldn’t be a good thing, there is definitely a case to be made for it, but there are existing issues for it on the sso issues repo, that would be a better venue to make your case for requiring them.

Just to add one extra layer of clarification:

If you have your CEO auth twice, once for the character scopes and once for the corp scopes, you can store both of those refresh tokens and reuse them at will. You just need to set up your db such that you can store both against the user (see Steve’s reply above).

This has been said before, but you don’t seem to have taken it in. You keep saying your users will have to repeatedly auth for each thing they want to do, but that’s just not true. Store the refresh tokens along with information as to what scores that token has and you can keep reusing them.

Previous refresh tokens are only removed if they have the same scopes as the new one.

i have already solved this, but you are wrong. Its not that i don’t understand you. This has nothing to do with the tokens, but to do with the max length supported for a URL. The only browser to actually support longer url is chome, which still leaves 40% of all web users unable to use my service unless i force them to use chrome.

Tokens are created inc refresh tokens with the scopes requested on creation. In order to get all the scopes needed to replicate the exists system, the URL becomes longer than the max.

if i choose a subset of scopes for users so make the url shorter and compliant, i will force users to re-log into the site to request new tokens with e scopes i need.

Bottom dollar, to use all the features my sites ALREADY uses, i have to either create subsets of tools, where you have to log into each subset , OR drop some features.

OR force all user to use chrome, because its the only browser that doesn’t have max url length.
Edge technically has no max, but its a heap of ■■■■ so no one uses it.

In fact, people are twittering on here about tokens and how to auth and have missed the hole point of the topic.
All scopes i need == to long a URL for most browsers except chrome or edge

All character scopes is 1,423 characters with spaces (including the ones you don’t need). What’s your problem again?

He probably can’t comprehend the death of xml/crest means he can remove any scopes that don’t include ‘esi-’ in them.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.