OAuth2Application should have scope #25813
Labels
proposal/accepted
We have reviewed the proposal and agree that it should be implemented like that/at all.
type/feature
Completely new functionality. Can only be merged if feature freeze is not active.
type/proposal
The new feature has not been accepted yet but needs to be discussed first.
Comments
hickford
added
the
type/proposal
lunny
added
type/feature
|
Previous work that added scope to grants and access tokens @aunger #4300 and @jolheiser #20908 |
|
Referencing #24767, where tokens are redesigned |
|
Those are access_token, but this one is for application token |
|
Are "scopes" what would let me only grant "read_email" to an application token ? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature Description
OAuth2Application should record scope at registration.
OAuth2Grant scope should then be restricted to a subset of application scope.
This security improvement is especially valuable for public clients which are inherently vulnerable to client impersonation.
The consent screen should list the application scope https://imgur.com/a/7RRUPES
Screenshots
GitLab has this feature https://docs.gitlab.com/ee/integration/oauth_provider.html
GitHub does not
The text was updated successfully, but these errors were encountered: