No verification of user scope requests

[bbockelm]

When I use the device code flow directly (no proxy to CILogon), after copy/pasting the generated URL from the terminal (e.g., https://localhost:8444/api/v1.0/issuer/device?user_code=8XF_A4D_65X), I get the following:

There was no option provided to the user to approve the requested scopes -- I could have asked for anything!

(Separately, it'd be useful to have a way to inject some CSS into the page -- or, alternately, consider a machine-readable response so I can intercept it at the proxy layer and create my own.)

[jjg-123]

Clarification needed: How are you authenticating? When you say no proxying through CILogon, are you assuming that Tomcat is handling the login? Normally scopes are displayed so I need to understand better how this is happening.

[bbockelm]

This is authenticating by HTTP header.

A quick perusal of the device code flow doesn't show any obvious way to hit a confirmation screen. Seems to go straight to the device-ok.jsp.

[jbasney]

This is an issue in proxy mode also. See #107 .