I am developing an open banking software, the bank user(also called customer) must allow a third party software to call banking services such as cash withdrawal and transaction viewing for one of his accounts for a limited amount. To implement this approach, the OAuth protocol should be used. To give these web services permission to call, some scopes are defined, for example Scopes for withdrawal licenses service and scopes for viewing transactions service. The important thing is that these permissions should not be given to all of the user's accounts. The customer will see a list of his accounts on the approval page. accounts should be selectable. The user will allow the third party system to withdraw or view the transaction. If the scope requested by the third party system includes cash withdrawal, it should also include the amount on the approval page for each account. Are the accounts lists and their amounts scope? we can't define these scopes before because each user has a different account.
If the account and amount are not scope, how should they get and saved on the approval page after confirmation by user?
I changed the approve page to show the list of accounts to resolve this issue, then tried to expect these accounts to be stored in the Approval table, but apparently within the ApprovalStoreUserApprovalHandler class
The updateAfterApproval method only filters and stores previously defined scopes from the list of parameters
public AuthorizationRequest updateAfterApproval(AuthorizationRequest authorizationRequest,
Authentication userAuthentication) {
// Get the approved scopes
Set<String> requestedScopes = authorizationRequest.getScope();
Set<String> approvedScopes = new HashSet<String>();
Set<Approval> approvals = new HashSet<Approval>();
Date expiry = computeExpiry();
// Store the scopes that have been approved / denied
Map<String, String> approvalParameters = authorizationRequest.getApprovalParameters();
for (String requestedScope : requestedScopes) {
String approvalParameter = scopePrefix + requestedScope;
String value = approvalParameters.get(approvalParameter);
value = value == null ? "" : value.toLowerCase();
if ("true".equals(value) || value.startsWith("approve")) {
approvedScopes.add(requestedScope);
approvals.add(new Approval(userAuthentication.getName(), authorizationRequest.getClientId(),
requestedScope, expiry, ApprovalStatus.APPROVED));
}
else {
approvals.add(new Approval(userAuthentication.getName(), authorizationRequest.getClientId(),
requestedScope, expiry, ApprovalStatus.DENIED));
}
}
approvalStore.addApprovals(approvals);
boolean approved;
authorizationRequest.setScope(approvedScopes);
if (approvedScopes.isEmpty() && !requestedScopes.isEmpty()) {
approved = false;
}
else {
approved = true;
}
authorizationRequest.setApproved(approved);
return authorizationRequest;
}
One way I think of is to customize a UserApprovalHandler to save all scopes. I think I may have misunderstood the concept altogether