The UAA integration currently asks for the following scopes:
openid - this makes sense, it allows you to know who the user is
oauth.approvals - this appears to be a typo - the UAA docs refer to a scope named oauth.approval, which conveys to the bearer authority to "approve or reject clients to act on a user’s behalf" which should not be needed (as evidenced by the typo not actually breaking anything other than missing text on the authorization page).
scim.userids - it's not clear to me why this is needed. The /userinfo endpoint docs state that they require the opend scope only.
cloud_controller.read - this makes sense, as it is needed in order to read what spaces and orgs a user is a member of. It's unfortunate that this scope also gives access to sensitive application credentials, but that's a current limitation of CloudController.
Suggest removing oauth.approvals and scim.userids.
axelaris
commented
4 years ago
The UAA integration currently asks for the following scopes:
openid- this makes sense, it allows you to know who the user isoauth.approvals- this appears to be a typo - the UAA docs refer to a scope namedoauth.approval, which conveys to the bearer authority to "approve or reject clients to act on a user’s behalf" which should not be needed (as evidenced by the typo not actually breaking anything other than missing text on the authorization page).scim.userids- it's not clear to me why this is needed. The/userinfoendpoint docs state that they require theopendscope only.cloud_controller.read- this makes sense, as it is needed in order to read what spaces and orgs a user is a member of. It's unfortunate that this scope also gives access to sensitive application credentials, but that's a current limitation of CloudController.Suggest removing
oauth.approvalsandscim.userids.