Open
Description
ie:
- application: ....
authorized_groups: [xxx]
display_groups: [yyy]
In this situation, the tile will be displayed to yyy, but xxx will have access. This is useful for certain use cases where it's difficult to match access with display due to RP shortcomings.
In general, you'd set this up to have display_groups be a known-possible-subset of authorized_groups (including authorized_groups: [everyone]) for this setup to make sense.
This also solves the "egencia" RP use case a little better, i.e. RPs with the same client id, but different login URLs, where the URL depends on which group you're in for other purposes than access control
NOTE: This also means that authorized_groups and authorized_users are still used for display IF display_groups and display_users are null or not present, as fallback.
Metadata
Assignees
Labels
No labels
Activity