OAuth2 client list service is maybe ambiguous

KorAP / Kustvakt

:speedboat: User and policy management component for KorAP, capable of rewriting queries for policy based document restrictions.

BSD 2-Clause "Simplified" License

4 stars 3 forks source link

OAuth2 client list service is maybe ambiguous #579

Open margaretha opened 1 year ago

margaretha commented 1 year ago

The parameter authorized_only in the OAuth2 Client list service is possibly ambiguous.

Only OAuth2 clients registered by a user is listed when authorized_only=false (default).

When authorized_only=true, Kustvakt does not really filter the user-registered clients, but lists all authorized clients, including those not registered by the user himself.

Kustvakt should probably include all authorized clients when authorized_only=false. We need to show which clients owned/have been registered by the users.

Maybe registered_by should be removed from the response for data security because it would show usernames of other users.

hebasta commented 1 year ago

registered_by: I agree that it is a data security sensible subject. On the other side it might be for some users a helpful information, for example, if you want to install only clients of a certain institution, etc. All in all we probably should delete it, but keep that in mind.

margaretha commented 2 weeks ago

registered_by has been omitted as also discussed in #572.

margaretha commented 2 weeks ago

We agreed to keep the existing behavior of the web-service, and deprecate the parameter authorized_only. It should then be removed from the system in the next versions.

Another more appropriate parameter filter_by should be introduced with two possible string value authorized_only or owned_only. The parameter is optional, when it is not set, it should list all clients. But as long as authorized_only exists, it has a higher priority, so the web-service will behave according to the value of authorized_only.