I'm currently using Spring Authorization Server. I've an oAuth client aggregator with account profile openid as allowed scopes. Every time a user uses the Authorization Code workflow, they are presented a consent page with these scopes (provided the request has scopes).
The aggregator client is used to generate tokens which will be used to initiate multiple financial transactions (for example). I'm looking at enabling a more fine-grained control.
Say, a user has accounts - a, b and c, but wants to authorize access only to a and b. I'm expecting the consent page to list these three accounts and accommodate these while generating the token, despite a, b and c not being a client-level scope.
I can build some service to fetch and paint these in the consent page. I am looking to see if I can extend Spring's existing consent functionality and extend it to scopes that are maintained outside the Authorization Server and not necessarily only client-level scopes.
I need some help in validating if my approach is correct and in understanding if Spring Authorization Server can help me achieve this through some customization.
I have been able to identify blocks of code in Spring Authorization Server, where the scope matching is done and checked if there is a hook given to override / disable this validation.
I am currently going through the design, documentation and the source code for Spring Authorization Server to see what bits I can re-use to build the custom user scopes and not rely on client-level scopes.