search

camaraproject / IdentityAndConsentManagement

Repository to describe, develop, document and test the Identity And Consent Management for CAMARA APIs
Apache License 2.0
18 stars 30 forks source link

Auth code flow update to fix issue #70 #86

Closed jpengar closed 5 months ago

jpengar commented 7 months ago

What type of PR is this?

What this PR does / why we need it:

Auth code flow update. Fixes #70

Adds further clarification for scenarios where user consent is not given.

I'm afraid the flow is not specific enough. It says "otherwise the flow fails", but does not specify how. The scenario raised in issue #70 may not be 100% clear.

Actually, if the user doesn't consent to the access (where explicit consent is required by the legal basis), the code is still provided in the GET /authorize response. And then in the POST /token operation (where client_id is authenticated) is where the flow will return an error if there is no consent for the requested scopes.

Which issue(s) this PR fixes:

Fixes #70

Special notes for reviewers:

This PR replicates the changes made in the GSMA documentation https://github.com/GSMA-Open-Gateway/Open-Gateway-Documents/pull/61, which fixed https://github.com/GSMA-Open-Gateway/Open-Gateway-Documents/issues/53. Issue #70 was a clone of GSMA Issue 53.

As agreed, issue #70 was discussed in the context of the GSMA technical stream. And if something needs to be piggybacked into CAMARA, it will be raised later for everyone in CAMARA to review. As a result, this PR replicates the same changes that were merged into the GSMA documentation.

I'm aware that this doc overlap and "duplicate" update is a good example of what @bigludo7 raised in issue #82. But for now, we would need to keep documentation in sync in both places, GSMA & CAMARA, when it applies.

Changelog input

N/A

Additional documentation

N/A

jpengar commented 7 months ago

Please reviewers, may I ask for your review of this PR to apply the same change as in the GSMA doc, if there are no other objections? CC @rartych

jpengar commented 5 months ago

As per above last comments/reviews and our discussions in last WG meeting (20/12), can we then merge this PR? @eric-murray your suggestion is already added and it also has the approval of Orange and DT representatives. If there are no further objections, I will merge it this week after a reasonable time.