User should only complete the "consent form" ONCE

brighthive / authserver

An OAuth 2.0 server with added services for providing fine-grain access control to Data Trust assets.

MIT License

4 stars 1 forks source link

User should only complete the "consent form" ONCE #22

Open reginafcompton opened 4 years ago

reginafcompton commented 4 years ago

Currently, the authserver does not track if a user completed the "consent form".

Thus, a user must complete the form every-single-time-she-logs-in.

Solution

Add a field in the user model, e.g., consent_form_completed. The new field could either be a boolean field, or it could be the name of the public client (e.g., Facet).
The login route will check the value of this field. If the user has already given consent, then Authserver should go directly to the web application (e.g., Facet).

gregmundy commented 4 years ago

The solution is a bit more complicated than what you are suggesting @reginafcompton. Ideally, there will need to be a model that tracks a user's consent to each application. Also, an API endpoint needs to be exposed that at some point in the future will be used to show a user all clients that they have consented to and (thus be able to revoke consent).

reginafcompton commented 4 years ago

Ah, this: tracks a user's consent to each application

I seem to forget that clients (other than Facet) will interact with the AuthServer. Good catch @gregmundy.