DrDaveD
commented
3 years ago I believe I have addressed the comments that were made in yesterday's call. Please review the current version.
Closed DrDaveD closed 3 years ago
DrDaveD
commented
3 years ago I believe I have addressed the comments that were made in yesterday's call. Please review the current version.
hannahshort
commented
3 years ago @DrDaveD The behaviour what happens when you request a group that you're not entitled to is strangely worded. It seems to imply that (at the same time) the server could ignore the scope that the user is not entitled to and return an access token without that authorization AND return an error.
If an entity is not entitled to a group, the scope requested may be ignored by the server and the corresponding token may not have the corresponding claims; in this case, section 3.3 of RFC 6749 requires the token issuer to inform the client. A server may also return an error during the authorization request. Client software implementations should always verify the scopes present in the returned token.We should at least be consistent. Maybe I'm just misunderstanding this...
DrDaveD
commented
3 years ago @hannahshort I didn't think the extra phrase implied returning an access token, it said that an access token would not be returned, but in any case I removed the phrase that seemed confusing in this last update.
I also submitted a separate pr #13 to change the behavior for wlcg.groups to similarly reject requests for unauthorized groups.
This PR is against the branch created in PR #6, modifying it to reflect the behavior changes discussed for wlcg.capabilityset, not just the name change.