Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix user scope propagations in tokens #761

Closed
wants to merge 23 commits into from
Closed

Fix user scope propagations in tokens #761

wants to merge 23 commits into from

Conversation

XVincentX
Copy link
Member

@XVincentX XVincentX commented Jun 25, 2018
edited
Loading

The following PR will fix the scope propagation story around the oAuth2 story.

What (I think) was wrong

Basically I noticed that all the scope resolution and checking was done on the oauth2 credential type, which is the one that is merely identifying the client.

Consider the following scenario:

  1. You create an oAuth2 credential type (identifying an application). I put on this credential the scopes read, write.
  2. You then create an user with a basic-auth credential set, and I put diffetent scopes, such as create, investigate
  3. I log in using the code flow, or the password flow (it does not really matter) and I put my username and password
  4. I receive the read/write scopes, although my personal credential have a different set of scopes

This PR is changing this behavior putting the user scope at the center of the checks and returned values.

What (I think) was the intention

Now that I recall also other changes I made in the identity server, I think the original intention was to have user-level oauth2 credentials; this thing was unfortunately not documented and not implemented correctly — that has been causing a lot of confusion that led us to discover these bugs.

In other words — we still need to work a lot on the credential system, but we'll slowly get there somehow. 🤞

Other perks

  1. I've converted some of the tests from callback/Promise pyramid to a more sustainable approach
  2. I've renamed the authorizeCredential — that means all and nothing — to checkScopesOnCredential, which is what that function is doing for real.
  3. I've wrote a comment on why we're setting a transaction_id header in the oAuth2 response, which is not required by the spec (it took me ages to discover why)
  4. I've removed some useless if statements around the checkCredentialScopes function; it's got already an inner check that's returning true in case the scopes aren't provided.

This needs to be reviewed very carefully as it's changing some internal behaviors that I think they were wrong. The only concern I have — I might be missing some of the original intentions so please guys, point anything that feels weird to you.

Connect #740
Closes #740

Needs #758

@XVincentX XVincentX force-pushed the bugfix/user-scope-propagation branch from 6ace6d7 to 0319031 Compare June 25, 2018 13:13
@codecov
Copy link

codecov bot commented Jun 25, 2018
edited
Loading

Codecov Report

Merging #761 into master will decrease coverage by <.01%.
The diff coverage is 94.59%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #761      +/-   ##
==========================================
- Coverage   88.93%   88.92%   -0.01%     
==========================================
  Files         129      129              
  Lines        3543     3532      -11     
==========================================
- Hits         3151     3141      -10     
+ Misses        392      391       -1
Impacted Files Coverage Δ
lib/policies/key-auth/keyauth.js 83.33% <100%> (-0.67%) ⬇️
lib/policies/oauth2/oauth2.js 89.83% <100%> (+1.95%) ⬆️
lib/policies/basic-auth/basic-auth.js 92% <100%> (-0.31%) ⬇️
lib/services/auth.js 90.78% <100%> (ø) ⬆️
lib/services/tokens/token.service.js 96.8% <100%> (-0.14%) ⬇️
lib/policies/oauth2/oauth2-server.js 91.39% <92.3%> (-0.91%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e1e37e9...960339d. Read the comment docs.

@XVincentX XVincentX force-pushed the bugfix/user-scope-propagation branch from 79ab2c5 to 960339d Compare June 25, 2018 15:45
@XVincentX XVincentX self-assigned this Aug 16, 2018
@XVincentX XVincentX closed this May 14, 2019
@XVincentX XVincentX deleted the bugfix/user-scope-propagation branch May 14, 2019 01:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kevinswiber kevinswiber Awaiting requested review from kevinswiber

@DrMegavolt DrMegavolt Awaiting requested review from DrMegavolt

Assignees

@XVincentX XVincentX

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

User scopes do not get propagated to the returned JWT provided by EG
1 participant
@XVincentX