Provide default scopes if client is not requesting a specific scope

Created on 5 March 2017, almost 8 years ago
Updated 1 September 2022, over 2 years ago

Problem/Motivation

The scope argument is optional in the OAuth2 framework. Therefore the resource owner is allowed to provide a default behavior for a situation where a client is not requesting a specific scope. The current behavior is that all the Scopes configured for the client will be applied, but user roles are ignored.

Proposed resolution

  • Add all user roles by default as a scope if client does not request any scopes.
  • Document the behavior for situation where scope is not defined

Remaining tasks

User interface changes

API changes

User roles are added to scopes when client is requesting access token without providing any scopes.

Data model changes

Feature request
Status

Closed: outdated

Version

5.2

Component

Code

Created by

🇫🇮Finland lauriii Finland

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇺🇸United States grasmash

    I don't understand how this can be achieved in 6.0. The goal is to dynamically assign scopes based on the user role. The ability to add default roles per consumer does not achieve assigning default roles per user -- users of different roles may use the same consumer.

Production build 0.71.5 2024