Akron
commented
1 year ago I think the handling needs to be done in the backend. However, if we want to have a second step of access granting, where Kalamar reports, which scope are accepted and how the final redirect looks like, that should be doable in Kalamar. Having a separate background checking step or keeping a list of valid scopes in the frontend seems to be unnecessary to me.
Kalamar should disallow asking for unknown authorization scope
example request:
https://korap.ids-mannheim.de/instance/test/settings/oauth/authorize?client_id=clientId&redirect_uri=redirect_uri&response_type=code&state=ZMwDGTZ2RY&scope=unknown