I am implementing a consent endpoint to integrate Hydra. – When getting the consent request via the Hydra backend API, is the requested_scope already checked by hydra or is it possible that it consists scopes that should not be allowed for the OAuth client?
I am asking, because I want to add some fields to the OpenID Connect ID token if the client has requested and is allowed to access a certain scope.
11/15/2021, 9:56 AM
Hm good question, just by going in the flow graphic in https://www.ory.sh/hydra/docs/next/concepts/consent/
i would say the end user first gets redirected and then consent info (including requested_scopes) gets fetched from hydra.
you may need to make sure that the client is allowed to request the scopes in the consent endpoint, but I am not 100% certain, will let you know if I have more certainty.