- Issue created by @bojan_dev
- Merge request !172Issue #3507450: Introduce access policy + cache context for oauth2 scopes → (Open) created by bojan_dev
When dealing with multiple consumers that have set the same default user, this will result in unexpected access behaviour. The current cache context is based on roles, this made sense in simple_oauth: 5.2 where scopes are roles, but in 6.0 the scopes are a separate entity which reference to permissions or roles.
We should introduce the new access policy (from Drupal 10.3) and custom cache context for scopes. This way the cache keys will be unique by user and requested scopes. Leveraging the access policy will also give the community possibilities to alter or add their own policies.
Drupal 10.2 is EOL, so we can increase the minimum Drupal core requirement to 10.3 and don't have to consider BC.
Workaround that can be used is to set a different default user (with unique roles) per consumer.
Active
6.0
Code