Being able to decide which scopes require the consent page

[merxos]

Expected Behavior
I'm able to select which scopes require the consent page. Probably in the OAuth2 client registration

Current Behavior
Right now it is possible to require the consent page for every scope or never show it

Context
I got a business requirement where one of the scopes that we provide should not display consent page. I was able to make a workaround which is not optimal. I have made a copy of the OAuth2AuthorizationCodeRequestAuthenticationProvider and adjusted the method requireAuthorizationConsent

[jgrandja]

@merxos

I got a business requirement where one of the scopes that we provide should not display consent page.

Could you not configure a RegisteredClient that requests that scope and ensure the RegisteredClient.clientSettings.isRequireAuthorizationConsent() is set to false? This should fulfill your requirement?

If it doesn't, please provide more detailed information for your use case so I can better understand.

[merxos]

It unfortunately won't solve my requirement, because we have multiple scopes available, and it only depends on the client which scopes they choose. So I need more like a scope level definition on whether to show the consent page or not.

[jgrandja]

@merxos

If it doesn't, please provide more detailed information for your use case so I can better understand.

I still do not understand your use case. Please provide much more details on your use case scenarios otherwise I won't be able to help and this issue will get closed.

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[PunchyRascal]

We would like to have the following setup: (I'm with @merxos)

• scopeA: does not require consent
• scopeB: requires consent

Right now it is only possible to have either:

• scopeA: does not require consent
• scopeB: does not require consent

or

• scopeA: requires consent
• scopeB: requires consent

But you cannot combine those two 🙂