Currently, dCacheView uses a hard-coded list of scopes to request when initiating implicit flow: openid profile email.
Some OPs use the eduperson_entitlement claim to describe group-membership. The presence of the eduperson_entitlement claim is controlled by the eduperson_entitlement scope. Therefore, in order for dCache to learn group-membership, dCacheView should (also) request the eduperson_entitlement scope.
However, not all OPs support the eduperson_entitlement scope and requesting a non-existing scope can cause the login to fail.
Therefore, it is important to allow per-OP configuration of the desired scopes.
Different OPs support different scopes.
Currently, dCacheView uses a hard-coded list of scopes to request when initiating implicit flow:
openid profile email.Some OPs use the
eduperson_entitlementclaim to describe group-membership. The presence of theeduperson_entitlementclaim is controlled by theeduperson_entitlementscope. Therefore, in order for dCache to learn group-membership, dCacheView should (also) request theeduperson_entitlementscope.However, not all OPs support the
eduperson_entitlementscope and requesting a non-existing scope can cause the login to fail. Therefore, it is important to allow per-OP configuration of the desired scopes.