You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The parameter authorized_only in the OAuth2 Client list service is possibly ambiguous.
Only OAuth2 clients registered by a user is listed when authorized_only=false (default).
When authorized_only=true, Kustvakt does not really filter the user-registered clients, but lists all authorized clients, including those not registered by the user himself.
Kustvakt should probably include all authorized clients when authorized_only=false. We need to show which clients owned/have been registered by the users.
Maybe registered_by should be removed from the response for data security because it would show usernames of other users.
The text was updated successfully, but these errors were encountered:
registered_by:
I agree that it is a data security sensible subject. On the other side it might be for some users a helpful information, for example, if you want to install only clients of a certain institution, etc.
All in all we probably should delete it, but keep that in mind.
The parameter
authorized_only
in the OAuth2 Client list service is possibly ambiguous.Only OAuth2 clients registered by a user is listed when
authorized_only=false
(default).When
authorized_only=true
, Kustvakt does not really filter the user-registered clients, but lists all authorized clients, including those not registered by the user himself.Kustvakt should probably include all authorized clients when
authorized_only=false
. We need to show which clients owned/have been registered by the users.Maybe
registered_by
should be removed from the response for data security because it would show usernames of other users.The text was updated successfully, but these errors were encountered: