Grant admin scopes only to admin-approved clients during authZ code/device flow

indigo-iam / iam

INDIGO Identity and Access Management Service

https://indigo-iam.github.io/

Other

102 stars 43 forks source link

Grant admin scopes only to admin-approved clients during authZ code/device flow #819

Open rmiccoli opened 1 month ago

rmiccoli commented 1 month ago

Clients approved by regular users during authZ code/device flow cannot get admin scopes even if they are allowed to get them. A filter should be added to the /authorize endpoint (at the consent page level as for the IAM scope policies).

enricovianello commented 1 month ago

Should client-credentials flow be affected?