Conversation
add new User.sessions scope
simeng-li
requested review from
charIeszhao and
Copilot
and removed request for
charIeszhao and
wangsijie
There was a problem hiding this comment.
Pull request overview
Adds a new JS SDK user scope (urn:logto:scope:sessions) intended for session-management authorization (Account API), without introducing any new ID token or userinfo claims.
Changes:
- Add
UserScope.Sessionsto theUserScopeenum. - Ensure the new scope maps to no claims in
idTokenClaims/userinfoClaims. - Add a changeset entry for releasing the new scope.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| packages/js/src/consts/openid.ts | Introduces UserScope.Sessions and wires it into the scope→claims maps as an empty-claims scope. |
| .changeset/cold-mayflies-crash.md | Adds release note for the new sessions scope. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| * Scope for user's sessions. | ||
| * | ||
| * Only used for session management via account API. | ||
| * Not included in user claims, even when the scope is requested, as it's not meant for ID token or userinfo endpoint. |
There was a problem hiding this comment.
The JSDoc says "Not included in user claims" but this scope is still part of the userClaims mapping (with an empty array). Consider rewording to clarify that requesting this scope does not add any ID token / userinfo claims (rather than implying it is absent from the mapping entirely).
| * Not included in user claims, even when the scope is requested, as it's not meant for ID token or userinfo endpoint. | |
| * Requesting this scope does not add any ID token or userinfo claims; it is not intended for ID Token or Userinfo responses. |
| "@logto/js": patch | ||
| --- | ||
|
|
||
| indroduce new user scope urn:logto:scope:sessions |
There was a problem hiding this comment.
Typo in changeset entry: "indroduce" should be "introduce".
| indroduce new user scope urn:logto:scope:sessions | |
| introduce new user scope urn:logto:scope:sessions |
|
|
||
| indroduce new user scope urn:logto:scope:sessions | ||
|
|
||
| This new `User.sessions` scope is used for session management account API permission control. It does not include any claims in ID token or userinfo endpoint, as it's not meant for user information retrieval but rather for controlling access to session management features. |
There was a problem hiding this comment.
The changeset text references User.sessions, but the JS API exposed by this PR is UserScope.Sessions (and there doesn't appear to be a User.sessions symbol in the package). Please update the changeset wording to match the actual exported API name to avoid confusing consumers.
| This new `User.sessions` scope is used for session management account API permission control. It does not include any claims in ID token or userinfo endpoint, as it's not meant for user information retrieval but rather for controlling access to session management features. | |
| This new `UserScope.Sessions` scope is used for session management account API permission control. It does not include any claims in ID token or userinfo endpoint, as it's not meant for user information retrieval but rather for controlling access to session management features. |
Summary
Add new
User.sessionsscopeTesting
Checklist
.changeset