improve grant page appearance, allow partial scope approval

[liggitt]

• displays descriptions of the requested scopes
• displays warnings about escalating scopes
• displays service account oauth clients nicely (Service account <foo> in project <bar>...)
• allows withholding some of the requested scopes
• ensures the username present when the grant page was shown matches the authenticated user when submitting the form

To exercise various permutations of the page:

1. Create a prompting OAuth client and an OAuth service account:

   oc create -f - <<< '{"kind":"OAuthClient","apiVersion":"v1","metadata":{"name":"myclient"},"grantMethod":"prompt","redirectURIs":["http://localhost"]}'
   oc annotate sa/builder -n default 'serviceaccounts.openshift.io/oauth-redirecturi.one=http://localhost'
   

2. Start the OAuth flow requesting a bunch of scopes ([example oauth client link](https://localhost:8443/oauth/authorize?client_id=myclient&response_type=token&scope=user:info user:check-access user:full role:admin:* role:admin:*:! role:admin:my-namespace role:admin:my-namespace:!), [example service account link](https://localhost:8443/oauth/authorize?client_id=system:serviceaccount:default:builder&response_type=token&scope=user:info user:check-access role:admin:default role:admin:default:!))

3. Go through the flow several times, exercising various permutations:

   • Click "Deny", you are redirected to localhost with an access_denied error
   • Uncheck all permissions and "approve selected", you are redirected to localhost with an access_denied error
   • Check only one or two permissions and "approve selected", you are redirected to localhost with an access token and the approved scopes in a scope parameter
   • After approving a couple permissions, the page shows existing access and allows selecting/unselecting remaining requested permissions
   • Once all permissions have been approved, token request flows no longer show the prompting page

At each step, the OAuthClientAuthorization object for the user should include all the scopes approved thus far, and the created OAuthAccessToken objects should include the scopes that were both requested AND approved.

Before:

After
No existing permissions:

With existing permissions:

When the client is a service account:

Mobile view:

[liggitt]

@jwforres @spadgett for UI feedback
@deads2k for partial scope approval

[liggitt]

[test]

[smarterclayton]

LOVE. IT.

[deads2k]

How do service accounts render?

[smarterclayton]

Should we only check by default the risky things, and then put a warning if any of them have to be opted in? I.e. force users to opt into the scarier ones?

[liggitt]

How do service accounts render?

Working on that now, currently something like this:

Should we only check by default the risky things, and then put a warning if any of them have to be opted in? I.e. force users to opt into the scarier ones?

Not sure, I have mixed feelings about that. I've never seen a prompting page that defaulted requested permissions off...

[liggitt]

updated with service account rendering, ready for review

[deads2k]

@spadgett @jwforres web-ui stuff here, ptal

[deads2k]

nit. Go code lgtm otherwise, but @spadgett or @jwforres from UI should review the web bits.

[jwforres]

#363636 is our base font color in openshift

[liggitt]

fixed

[deads2k]

go code lgtm.

@jwforres merge is yours.

[jwforres]

template LGTM

[liggitt]

[merge]

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7918/) (Image: devenv-rhel7_4831)

[openshift-bot]

Evaluated for origin merge up to 3905a09

[openshift-bot]

Evaluated for origin test up to 3905a09

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/7918/)