This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
This is just a proposal so far, it hasn't been accepted and needs further discussion.
While not strictly required most OAuth2 implementations include a consent screen.
- Build consent screen in the first version
- No built-in consent screen at first
- No built-in consent screens
Chosen option: No built-in consent screen at first, because
- We can get initial support earlier
- We can ensure future versions will not need migration
What we need store to enable this in the future:
- enabled scopes (per client):
- required anyway
- auto allowed scopes (per client):
- these scopes are allowed ("consented to") by default for every user, meaning
- in the future these will be the scopes that cannot be disabled on the consent screen
- required/optional scopes can be described in the authorization request