- 1. 01-basic-scenario
- 2. 02-check-permissions-by-claims-in-access-token
- 3. 03-multiple-resource-server
Question: 9. In client-access-resource-server/client's application.yml, the property spring.security.oauth2.client.registration.scope contains openid and profile. what will happen if we delete openid or scope?
Answer:
- If openid been deleted, when sign in, it will have error like AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid.
- If profile been deleted, when sign in, client-access-resource-server/client will throw exception like Missing attribute 'name' in attributes.
- If offline_access been deleted, user can sign in without any problem. And user can access http://localhost:8080/resource-server without any problem. But after one hour, user can not access http://localhost:8080/resource-server anymore, because access token has been expired. offline_access is used to get refresh token, and refresh token can be used to get another access token when current access token expired.
- Please refer to document about OpenID Connect scopes to get more information.
Question:
- List all scopes that can be used for authorization.
Answer:
- Claims: scp, roles, wids, groups.
Question:
- If there are 100 clients configured in application.yml, the permission request page will appear 100 times. Please investigate how to reduce the consent page.
Answer:
- Option 1: Use incremental and dynamic user consent. Refer to document about incremental and dynamic user consent.
- Option 2: Use admin consent. Refer to document about admin consent.
- Option 3: Configure
pre-authorized client app (PCA). Refer to document about add a scope. - Option 4: Permission request page is appeared when request for authorization code. When request for authorization code, scopes from multiple resource. When request for access token, scopes from single resource. Refer to spring-security#10452 to get more information.