Is your feature request related to a problem? Please describe.
Seacat does not provide many options to control the content of ID token and Userinfo payload.
Describe the solution you'd like
- Allow the client to request specific claims and authorization scopes in the authorization request.
- If a custom scope is requested, the authorization server should ask the resource owner associated with the scope to authorize the scope request and provide the requested claims.
Details
- The custom scope authorization can happen via webhook or pluggable python module.
- Custom scope ID should be prefixed with the client ID of the resource owner (eventually there could be some scope administration mechanism).
- Clients that are also resource owners must register
resource_authorization_uri where the requests will be sent.
- The resource authorization request should contain relevant subset of authorization parameters, including the requested claims and scopes.
- Successful resource authorization response must have status code 200 and contain a JSON object with claims that will be added to the resulting ID token and Userinfo. The authorization server needs to verify if the resource owner is authorized to grant all the returned claims.
- Responses with other statuses are considered error. It is recommended that the client sticks to common error statuses: 400 (generic unspecified error), 401 (authentication failed), 403 (access denied). Error details can be supplied in JSON body for log purposes.
Is your feature request related to a problem? Please describe.
Seacat does not provide many options to control the content of ID token and Userinfo payload.
Describe the solution you'd like
Details
resource_authorization_uriwhere the requests will be sent.