Implement support for user consent #4

ansv7779 · 2025-04-24T16:37:35+02:00

ansv7779 commented

2025-04-24 16:37:35 +02:00

Clients now always require consent unless someone with developer access disables it.

Allows everyone to register new clients.

Clients now always require consent unless someone with developer access disables it. Allows everyone to register new clients.

ansv7779 added 13 commits 2025-04-24 16:37:36 +02:00

Support for configuring end user consent requirement for clients ea5c3a1c00

Developers can decide if consent is required and for everyone else it is *always* required.

Test for authorization code flow with consent 1b08cdaf44

Add consent page c8f28d8283

Add consent page (GUI) 0c55c25abf

Add proper tests for the consent page e826ce523d

Expand on what each scope means during user consent efcfddaa70

Do not ask for consent for "openid" scope 119e27f5da

The scope itself does nothing, without any of the additional OIDC scopes such as "profile" or "email" the ID token is completely empty. Therefore, it is unneccessary to ask for consent for it and it would just complicate matters. What would happen if a user consented to the "profile" scope but not the "openid" scope?

Skip consent for developers in staging f1fbd306e2

With the custom authorization in place, the current user is always the developer while the authorization request token may contain a custom principal. When Spring Authorization Server attempts to validate the submitted consent, it checks that the current user is the same as the authorization request token - which it is not. The easiest solution is to disable consent in staging for developers.

Handle consent token coming back during custom authorization flow 2ebf8c649d