-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scope param added to a bearer token response #800
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me... We need to make sure to also update the documentation to reflect these changes.
As per the spec, the returning of scopes should be optional if there are no changes and mandatory if there have been alterations to the scopes requested. This change would make the server always return the scope. I think it would be better to put this decision into the hands of the implementer instead of always returning a scope to avoid the server being opinionated on this matter. Is it possible to change this so the scopes will only be returned an option has been set on the server to dictate this. That would make the returning of the scopes more in line with the RFC in my opinion |
Since |
Hi @chervand - I think it would be better to have them not set by default. In most situations, if we do not return a scope, the implementer can assume they are unchanged. If we have these on by default, this adds overhead for each request. While probably negligible in most situations, I think it is better we err on the side of caution and only send back the scopes if they have been requested by the implementer, leaving them off by default. We should aim to ensure this change is also backwards compatible. Thanks for offering help with this! |
…earer_response_scope # Conflicts: # src/ResponseTypes/AbstractResponseType.php
…rver into bearer_response_scope
Please, review the updated PR. Not sure if I should add this to the |
Hi @chervand - sorry for my delayed reply. I think this is going in the right direction but I realised that we would have to set the scope policy directly on the response, where as I feel this policy should be set and controlled by the server instead. It makes sense to me that this is a server policy rather than a response type policy. In the authenication server at the moment, we are setting up responses in the function I think this function would be the best place to also set the scope return policy based on the auth servers settings. That way, the server dictates this instead of the response itself. One potential problem I can see with this is that we would need to call If you can think of an alternative approach though, I'd very much welcome your thoughts. |
Hi @Sephster, sorry for the delay too. I'm still interested in this feature and I agree that this is an auth server policy rather than a response type policy.
I can see 3 possible solutions now:
Let me know what do you think please. |
@chervand @Sephster just been looking through comments on this issue/PR and I think extending Having said that, bundling into a new major release wouldn't be that bad - the fact is there are not thousands of people calling for this at the moment, so maybe we don't need to go to the trouble of extending and checking which interface is being implemented. |
#793 scope param added to a bearer token response