Open margaretha opened 1 year ago
registered_by:
I agree that it is a data security sensible subject. On the other side it might be for some users a helpful information, for example, if you want to install only clients of a certain institution, etc.
All in all we probably should delete it, but keep that in mind.
registered_by
has been omitted as also discussed in #572.
We agreed to keep the existing behavior of the web-service, and deprecate the parameter authorized_only
. It should then be removed from the system in the next versions.
Another more appropriate parameter filter_by
should be introduced with two possible string value authorized_only
or owned_only
. The parameter is optional, when it is not set, it should list all clients. But as long as authorized_only
exists, it has a higher priority, so the web-service will behave according to the value of authorized_only
.
The parameter
authorized_only
in the OAuth2 Client list service is possibly ambiguous.Only OAuth2 clients registered by a user is listed when
authorized_only=false
(default).When
authorized_only=true
, Kustvakt does not really filter the user-registered clients, but lists all authorized clients, including those not registered by the user himself.Kustvakt should probably include all authorized clients when
authorized_only=false
. We need to show which clients owned/have been registered by the users.Maybe
registered_by
should be removed from the response for data security because it would show usernames of other users.