[openstreetmap/openstreetmap-website] OAuth 2: Granting partial permissions not possible (Issue #4360)

mmd notifications at github.com
Sun Feb 25 11:54:13 UTC 2024 

So I tried this out in https://gist.github.com/mmd-osm/a8edb405918795d7d823b9088bd12f41 and replaced the static list by some checkboxes. You can deselect some of the scopes before authorizing the request, and resulting token would only include the exact list of scopes which have been selected.

> Well the problem is that you can't (with our implementation at least) just request multiple tokens because the server aggregates all authorisations for a given client, so when you try and get a new token it will see the existing authorisation and return a token for it without asking the user to authorise again.

I think on the UI, you would indeed only see a single entry per application. However, on the database there are several tokens for each distinct set of scopes. To be honest, that's a bit confusing for a user. I haven't checked which of the different tokens is shown on /oauth2/authorized_applications in the end.

![image](https://github.com/openstreetmap/openstreetmap-website/assets/5842757/90b6e3a0-f454-44c0-8ed8-eeb3d08e56ed)

There's another issue here. Since a few weeks, I'm getting the /oauth2/authorize "Authorization Required" dialog, even if I have previously authorized the app. If I'm not completely mistaken, this used to be different in the past. Maybe the recent addition of openid has changed the default behavior?

Now with this dialog showing up all the time, it would be good, if the checkboxes would reflect the previous scope selection. Otherwise this is getting fairly annoying for users to deselect some scopes each time. I haven't really looked into this part yet, but I believe it might be useful to do so. 



-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/4360#issuecomment-1962909343
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/issues/4360/1962909343 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20240225/2bb86ae0/attachment-0001.htm>

More information about the rails-dev mailing list