OAuth2Application should have scope #25813
Labels
proposal/accepted
We have reviewed the proposal and agree that it should be implemented like that/at all.
type/feature
Completely new functionality. Can only be merged if feature freeze is not active.
type/proposal
The new feature has not been accepted yet but needs to be discussed first.
Feature Description
OAuth2Application should record scope at registration.
OAuth2Grant scope should then be restricted to a subset of application scope.
This security improvement is especially valuable for public clients which are inherently vulnerable to client impersonation.
The consent screen should list the application scope https://imgur.com/a/7RRUPES
Screenshots
GitLab has this feature https://docs.gitlab.com/ee/integration/oauth_provider.html
GitHub does not
The text was updated successfully, but these errors were encountered: