Conversation
There was a problem hiding this comment.
It seems that extraScopesToConsent just provides another interface to add scopes, but ultimately they just get appended to the scopes that were passed in as part of the request. It seems like the key distinction is that they should go after the scopes passed in the request. In this case, the customer receives an access token for scopes from request, and a refresh token that works for both scopes and extraScopesToConsent, where they have to acquireTokeSilent to get an access token for extraScopesToConsent.
Java Set does not guarantee order. If server is relying on the order of the scopes to make this distinction (I'm not sure that's the case, just assuming that from this implementation), we should probably use a data structure that guarantees order (such as TreeSet).
|
good point about order of scopes, but it should not matter because it is used just for authorization request, during token request (with auth code) scope for access token is specified |
3 participants
Extra scope to consent during authorization request