The UAA integration currently asks for the following scopes:
openid - this makes sense, it allows you to know who the user is
oauth.approvals - this appears to be a typo - the UAA docs refer to a scope named oauth.approval, which conveys to the bearer authority to "approve or reject clients to act on a user’s behalf" which should not be needed (as evidenced by the typo not actually breaking anything other than missing text on the authorization page).
scim.userids - it's not clear to me why this is needed. The /userinfo endpoint docs state that they require the opend scope only.
cloud_controller.read - this makes sense, as it is needed in order to read what spaces and orgs a user is a member of. It's unfortunate that this scope also gives access to sensitive application credentials, but that's a current limitation of CloudController.
Suggest removing oauth.approvals and scim.userids.
The UAA integration currently asks for the following scopes:
openid
- this makes sense, it allows you to know who the user isoauth.approvals
- this appears to be a typo - the UAA docs refer to a scope namedoauth.approval
, which conveys to the bearer authority to "approve or reject clients to act on a user’s behalf" which should not be needed (as evidenced by the typo not actually breaking anything other than missing text on the authorization page).scim.userids
- it's not clear to me why this is needed. The/userinfo
endpoint docs state that they require theopend
scope only.cloud_controller.read
- this makes sense, as it is needed in order to read what spaces and orgs a user is a member of. It's unfortunate that this scope also gives access to sensitive application credentials, but that's a current limitation of CloudController.Suggest removing
oauth.approvals
andscim.userids
.