It is not clear from the existing help text displayed on the consumer configuration form how roles and scopes interact. That is, it's easy to misunderstand if scopes add capabilities to a user, or if it's a way to limit capabilities of users through a consumer. (It's the latter.)

The attached patch adds this sentence:

Access tokens will be granted only for scopes (roles) requested by the user and made available here, and only if they overlap with the user's existing roles.

That's a lot of "and"s but I struggled to make it more concise.

CommentFileSizeAuthor
simple_oauth-consumer-helptext.patch946 bytesbradjones1

Comments

bradjones1 created an issue. See original summary.

bradjones1’s picture

Version: 8.x-4.x-dev » 5.x-dev
dieterholvoet’s picture

This is a much needed change! Struggled a lot to understand how roles/scopes work in context of #2857930: Provide default scopes if client is not requesting a specific scope.

bojan_dev’s picture

Status: Needs review » Closed (won't fix)

5.2.x will no longer receive any new updates due to the announced EOL. If this issue is still relevant for 6.0+, feel free to reopen the issue.

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.