Skip to content

OAuth2Application should have scope #25813

New issue
New issue
Open
Open
OAuth2Application should have scope#25813
Labels
proposal/acceptedWe have reviewed the proposal and agree that it should be implemented like that/at all.type/featureCompletely new functionality. Can only be merged if feature freeze is not active.type/proposalThe new feature has not been accepted yet but needs to be discussed first.
@hickford

Description

@hickford
hickford
opened on Jul 10, 2023

Feature Description

OAuth2Application should record scope at registration.

OAuth2Grant scope should then be restricted to a subset of application scope.

This security improvement is especially valuable for public clients which are inherently vulnerable to client impersonation.

The consent screen should list the application scope https://imgur.com/a/7RRUPES

Screenshots

GitLab has this feature https://docs.gitlab.com/ee/integration/oauth_provider.html

GitHub does not

Metadata

Metadata

Assignees

No one assigned

    Labels

    proposal/acceptedWe have reviewed the proposal and agree that it should be implemented like that/at all.type/featureCompletely new functionality. Can only be merged if feature freeze is not active.type/proposalThe new feature has not been accepted yet but needs to be discussed first.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions