I am implementing a consent endpoint to integrate ...
# talk-hydra
I am implementing a consent endpoint to integrate Hydra. – When getting the consent request via the Hydra backend API, is the requested_scope already checked by hydra or is it possible that it consists scopes that should not be allowed for the OAuth client?
I am asking, because I want to add some fields to the OpenID Connect ID token if the client has requested and is allowed to access a certain scope.
Hm good question, just by going in the flow graphic in https://www.ory.sh/hydra/docs/next/concepts/consent/ i would say the end user first gets redirected and then consent info (including requested_scopes) gets fetched from hydra. you may need to make sure that the client is allowed to request the scopes in the consent endpoint, but I am not 100% certain, will let you know if I have more certainty.
Thank you.