I'm building a service provider application where users are supposed to be able to share their data with a third party application using OAuth2 and OpenID Connect.
The standard OAuth2 consent flow authorize scopes (which attributes / roles to share). However, since attributes could consist of multiple values, we would also like to allow the user to select which value/s to share.
So my question is, should I replace the whole OAuth2 consent flow with a custom one where OAuth2 scopes are more or less replaced with explicit attribute key/value pairs? It feels a bit weird to remove such a core component of OAuth2 as scopes, what do you think? Any other suggestions?
I'm currently trying out spring authorization server for customizing the consent flow (since Keycloak that we're currently using doesn't seem to be that flexible with the consent logic).
I think that replacing the standard consent flow in spring authorization server would require rewrites of both OAuth2AuthorizationConsentService, OAuth2AuthorizationConsentAuthenticationProvider as well as all the OAuth2...AuthenticationProvider classes that are used for authentication in order to forward consent to the new consent flow.
Check out the official custom consent sample! This sample demonstrates a custom consent screen without replacing the built-in components for handling submission of the consent screen and saving user consent in the OAuth2AuthorizationConsentService.
In particular, these lines configure the consent page, and this controller endpoint implements the logic for building a custom consent screen, which can be whatever you need for your application.
If you are wanting to customize what is mapped from the consent screen to the saved authorization, you would customize the OAuth2 Authorization Endpoint with an authorizationRequestConverter(). Scopes are simply stored as "authorities", so you can instead (or in addition) store anything you want.
To customize the access token (JWT) that is produced as a result of this consent and authorization, provide a OAuth2TokenCustomizer<JwtEncodingContext> as in the example OAuth2TokenCustomizer from the reference documentation.