Announcement Announcement Module
Collapse
No announcement yet.
Custom message to client redirect URI with unauthorized and authorized scope in one r Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Custom message to client redirect URI with unauthorized and authorized scope in one r

    Hello Again Folks:

    So the requirement is that when the client sends a request with scopes, my service validates the ones that are authorized and not show unauthorized scopes on the access confirmation page. When the user clicks "confirm" and the response is generated to send back the access token with granted scope, I wanted send a message in this response that a few scope was rejected based on unauthorized access. Is that possible and which class/method I should start with for this implementation. thanks

  • #2
    In an auth code grant the response from a confirmation is not an access token, and I'm not 100% sure I follow your use case. Do you want to conditionally deny the access token grant when the user has insufficient privileges? I'm guessing. The auth code flow is covered in AuthorizationEndpoint and its dependencies, all of which are explicit, so I assume you can do everything with UserApprovalHandler and AuthorizationRequestManager, but not really sure without more detail.

    Comment


    • #3
      Originally posted by Dave Syer View Post
      In an auth code grant the response from a confirmation is not an access token, and I'm not 100% sure I follow your use case. Do you want to conditionally deny the access token grant when the user has insufficient privileges? I'm guessing. The auth code flow is covered in AuthorizationEndpoint and its dependencies, all of which are explicit, so I assume you can do everything with UserApprovalHandler and AuthorizationRequestManager, but not really sure without more detail.
      Thanks for the reply Dave again.

      What I am saying is that when the Client redirects the resource owner to the auth server. The owner would login and then shown a list of Scopes the Client is requesting. Currenlty, my implementation is (which is working) is to validate those requested scope against scopes the client has access to (example, out of 5 requested scopes, only 3 will be shown on the confirmation page). Once the resource owner clicks "allow" and the auth server redirect the owner to the redirect URI on the client, I am saying apart of the normal response which goes something like this {access_token:"4322222", scopes:"the 3 granted scope"}; I wanted to also show something in the response that goes like this {access_token:"4322222", scopes:"scope1, scope2, scope3", deny_scope:"scope4, scope5"}. Is that possible and where would I have to plug this implementation in?
      Last edited by deanclkclk; Jul 24th, 2013, 01:14 AM.

      Comment


      • #4
        Originally posted by deanclkclk View Post
        {access_token:"4322222", scopes:"the 3 granted scope"}
        That response is nothing more than a JSON serialized AccessToken. The simplest and recommended way to change it is by adding a TokenEnhancer to your DefaultTokenServices.

        Comment

        Working...
        X