Implement support for user consent #4

Manually merged

ansv7779 merged 13 commits from user-consent into main 2025-04-25 10:22:44 +02:00

Conversation 0 Commits 13 Files Changed 31 +894 -57

ansv7779 commented 2025-04-24 16:37:35 +02:00

Owner

Copy Link

Clients now always require consent unless someone with developer access disables it.

Allows everyone to register new clients.

Clients now always require consent unless someone with developer access disables it. Allows everyone to register new clients.

ansv7779 added 13 commits 2025-04-24 16:37:36 +02:00

Support for configuring end user consent requirement for clients ... ea5c3a1c00

Developers can decide if consent is required and for everyone else it is *always* required.

Test for authorization code flow with consent 1b08cdaf44

Add consent page c8f28d8283

Add consent page (GUI) 0c55c25abf

Add proper tests for the consent page e826ce523d

Expand on what each scope means during user consent efcfddaa70

Do not ask for consent for "openid" scope ... 119e27f5da

The scope itself does nothing, without any of the additional OIDC scopes such as "profile" or "email" the ID token is completely empty. Therefore, it is unneccessary to ask for consent for it and it would just complicate matters. What would happen if a user consented to the "profile" scope but not the "openid" scope?

Skip consent for developers in staging ... f1fbd306e2

With the custom authorization in place, the current user is always the developer while the authorization request token may contain a custom principal. When Spring Authorization Server attempts to validate the submitted consent, it checks that the current user is the same as the authorization request token - which it is not. The easiest solution is to disable consent in staging for developers.

Handle consent token coming back during custom authorization flow 2ebf8c649d

Persist granted user consent e79387bc2e

Handle denying consent 31cd05b12e

Show exactly what personal information is being asked for during consent 29924e6d42

Allow everyone to register clients c48eee489b

ansv7779 referenced this issue from a commit 2025-04-25 10:21:47 +02:00

Support for user consent (#4)

ansv7779 manually merged commit 18945e22bf into main 2025-04-25 10:22:44 +02:00

ansv7779 deleted branch user-consent 2025-04-28 12:08:06 +02:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: DMC/oauth2-authorization-server#4

No description provided.