-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Being able to decide which scopes require the consent page #1363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Could you not configure a If it doesn't, please provide more detailed information for your use case so I can better understand. |
It unfortunately won't solve my requirement, because we have multiple scopes available, and it only depends on the client which scopes they choose. So I need more like a scope level definition on whether to show the consent page or not. |
I still do not understand your use case. Please provide much more details on your use case scenarios otherwise I won't be able to help and this issue will get closed. |
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed. |
We would like to have the following setup: (I'm with @merxos)
Right now it is only possible to have either:
or
But you cannot combine those two 🙂 |
Overall situation of what we would like to have:
Please let us know if this explains it, thanks :) |
Given the 3x client flows described above, the following 3x RegisteredClient client1 = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("client-1")
.clientSecret("{noop}secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.redirectUri("http://127.0.0.1:8080/authorized")
.scope("scope-a")
.scope("scope-b")
.clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
.build();
RegisteredClient client2 = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("client-2")
.clientSecret("{noop}secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.redirectUri("http://127.0.0.1:8080/authorized")
.scope("scope-a")
.clientSettings(ClientSettings.builder().requireAuthorizationConsent(false).build())
.build();
RegisteredClient client3 = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("client-3")
.clientSecret("{noop}secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.redirectUri("http://127.0.0.1:8080/authorized")
.scope("scope-b")
.clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
.build(); |
That's pretty nice, but the problem is that the clients can later switch what scopes they want - it's up to them. The scopes are not predefined at registration time. One day they only want scopeA, the next day they also want scopeB. This points us to the idea where consent page on/off is also bound to scope rather than just client. |
I need more details on how you implemented dynamic scope configuration for the clients? Because with the default configuration, if |
To answer your question: We have a system where we are able to dynamically change the registered scopes. By implementing a custom But I just realized that what we mean was not clear from my previous comments. The dynamic client scopes are a distraction - it is not important for this. Here is an updated example (with just 1 client)
Here is an (example) implementation @merxos put together: merxos#1 Sorry for the confusion. |
If you're able to dynamically change the registered scopes then why can't you also update to |
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed. |
The RegisteredClientRepository with it's clients is built at the startup of the app. The client has both of the scopes available and it is up to him which scopes he chooses to use. So we need to decide to show the consent page or not right in the authentication request that the client does where the RegisteredClientRepository is already built. |
@merxos I now understand your use case.
Flow 1: I see now that the We'll keep this issue open and see if there is demand from other users for this capability. |
@jgrandja Yes, this indeed is something we would find useful - with some scopes, clients do not need to go through the hassle of granting consent. |
@merxos @PunchyRascal I'll close this as a duplicate of gh-1541. You can now configure a |
Expected Behavior
I'm able to select which scopes require the consent page. Probably in the OAuth2 client registration
Current Behavior
Right now it is possible to require the consent page for every scope or never show it
Context
I got a business requirement where one of the scopes that we provide should not display consent page. I was able to make a workaround which is not optimal. I have made a copy of the OAuth2AuthorizationCodeRequestAuthenticationProvider and adjusted the method requireAuthorizationConsent
The text was updated successfully, but these errors were encountered: