How can I have the "backend developer" gain control over the OAuth authorization scope for some social provider?
For example, in the "Spring Social Showcase" sample webapp, it is inside JSPs (e.g. views/connect/facebookConnect.jsp and views/signin/signin.jsp) how the web application controls the requested authorization scope. Here is some sample code how setting the authoritzation scope is done currently in an HTML file:
I find the approach of having HTML specify the requested authorization scope problematic for the following reasons:
<form action="<c:url value="/connect/facebook" />" method="POST">
<input type="hidden" name="scope" value="publish_stream,user_photos,offline_access" />
- It makes it easier for a web application user to "tinker" with the authoritzation scope. This makes it easier for the user to request or decline permissions on behalf of the web application that the web application didn't want so.
- It moves a business domain-related concept (authorization scope) to a user interaction domain-related environment (HTML/JSP)
- As a backend developer, I now have to consider JSP/HTML concepts such as "hidden field" and "form".
ConnectController and ProviderSignInController take care of handling the HTTP POST and form-contained "scope" with methods annotated with
Internally, they delegate to a ConnectSupport object and have it extract the scope parameter from the request.
In case Spring Social currently doesn't have means of specifying the scope other than with a user-initiated POST-with-scope-parameter-in-an-HTML-form, what about enhancing ConnectController and ProviderSignInController?