Limit scopes per user/group

[jricher]

We might want to create a configurable ability to limit available scopes on a per-user or per-user-group basis. This would need to be checked at authorization time and at token issuance time.

[wikkim]

Relevant TODO?
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/master/openid-connect-server/src/main/java/org/mitre/openid/connect/ConnectAuthorizationRequestManager.java#L116-120

[jricher]

That TODO is part of the story, though we certainly do want to allow for default scopes if the client doesn't ask for any.

[wikkim]

Okay, I am removing that TODO comment from the code then.

[praseodym]

Maybe relevant: https://github.com/spring-projects/spring-security-oauth/blob/master/docs/oauth2.md#mapping-user-roles-to-scopes

[col-panic]

Considering this ticket, are the following statements true? thanks

• Limiting granted scopes due to (a) users role(s) or group affiliation(s) is currently not supported.
• It is hence currently the duty of the resource provider to check whether a presented scope is valid w.r.t. the given resource.
• Extending org.mitre.openid.connect.repository.UserInfoRepository with methods to retrieve a users allowed scopes for further evaluation at access token creation would be the way to go.

[jricher]

The first two are true and the third is one option.