https://www.ory.sh/ logo
d

dry-book-88542

11/15/2021, 9:40 AM
I am implementing a consent endpoint to integrate Hydra. – When getting the consent request via the Hydra backend API, is the requested_scope already checked by hydra or is it possible that it consists scopes that should not be allowed for the OAuth client?
I am asking, because I want to add some fields to the OpenID Connect ID token if the client has requested and is allowed to access a certain scope.
m

magnificent-energy-493

11/15/2021, 9:56 AM
Hm good question, just by going in the flow graphic in https://www.ory.sh/hydra/docs/next/concepts/consent/ i would say the end user first gets redirected and then consent info (including requested_scopes) gets fetched from hydra. you may need to make sure that the client is allowed to request the scopes in the consent endpoint, but I am not 100% certain, will let you know if I have more certainty.
d

dry-book-88542

11/15/2021, 10:06 AM
Thank you.
2 Views