OAuth2 policy incorrectly resolve consumer of API

[DrMegavolt]

From gitter chat. (ref Neil Stevens @StickNitro 15:46 JAN 12)

Scenario

So you have appA appB
during creation appA was created with userA.id and it gets appA.id
appB userB.id -> appB.id
now you are logging in with userB through appA
after oauth dance client device has a token
now request will go through Gateway pipelines and only token is passed in request
EG resolves token into egContext.consumer
id: appA.id
userId: userA.id
token.consumerId: appA.id
So the question is where is id of the actual user userB.id?
and there is no such place, which is wrong. It is not the app who is the consumer of the API, it is userB who is the consumer
At least this is what I have locally. do you have the same ?

@StickNitro
Yes, pretty much, except during creation I have appA is created with userA.id and it gets appA.id and appB is created with userA.id which gets appB.id but I think the second last line is accurate in that the consumer of the API is the user not the app

---

Notes:

Token Service stores consumerId relation to token
the problem is that it is called with app id instead of user.id

technically egContext.consumer should have both app.id and user.id

And OAuthtorize server actually has both of them. It is EG tokenService problem that it does not store userid

const tokenCriteria = {
        consumerId: consumer.id,
        authenticatedUserId: codeObj.userId,
        authType: 'oauth2'
      };

[DrMegavolt]

And what about scopes? investigate what scopes are assigned to token

[DrMegavolt]

from source code scopes are taken from consumer, and in terms of oauthtorize is an app.
there is a test that checks that behavior
https://github.com/ExpressGateway/express-gateway/blob/master/test/policies/oauth/oauth-policy.test.js#L98

it should be changed to validate based on user