No verification of user scope requests #181
Comments
bbockelm
changed the title
|
Clarification needed: How are you authenticating? When you say no proxying through CILogon, are you assuming that Tomcat is handling the login? Normally scopes are displayed so I need to understand better how this is happening. |
|
This is authenticating by HTTP header. A quick perusal of the device code flow doesn't show any obvious way to hit a confirmation screen. Seems to go straight to the device-ok.jsp. |
|
This is an issue in proxy mode also. See #107 . |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When I use the device code flow directly (no proxy to CILogon), after copy/pasting the generated URL from the terminal (e.g., https://localhost:8444/api/v1.0/issuer/device?user_code=8XF_A4D_65X), I get the following:
There was no option provided to the user to approve the requested scopes -- I could have asked for anything!
(Separately, it'd be useful to have a way to inject some CSS into the page -- or, alternately, consider a machine-readable response so I can intercept it at the proxy layer and create my own.)
The text was updated successfully, but these errors were encountered: