Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid validation of scopes when using PAT (with ZSS) #3976

Open
pj892031 opened this issue Feb 3, 2025 · 0 comments
Open

Invalid validation of scopes when using PAT (with ZSS) #3976

pj892031 opened this issue Feb 3, 2025 · 0 comments
Labels
bug Verified defect in functionality Priority: High

Comments

@pj892031
Copy link
Contributor

pj892031 commented Feb 3, 2025

Describe the bug
This issue is not strictly related to ZSS, but it is possible to simulate it there because ZSS is not using ZaasClient or a similar approach as other services. The ZSS downloads the JWK from Gateway and then the validation is without any call locally. But fixing just ZSS is probably not the solution.

When the user sends the request with PAT (with invalid scopes - the service is missing from the list) the Gateway asks ZAAS to apply the authentication scheme it returns 401. The ZAAS rejects the token because of scopes. The gateway then leaves the token in the request and continues treatment. A service such as ZSS validates the token with JWK and decides it is valid because the signature and expiration time are valid.

This concrete use case contains a couple of issues:

  1. there is no reason to propagate PAT with invalid scopes
  • ZAAS should rather return 403 in case of invalid scopes and Gateway then remove all attributes about credentials (as Gateway does in case of successful credential transformation)
  1. ZSS doesn't support PAT
  • it should recognize PAT and solve in a different way (check the scope)
  • the easy implementation should be to verify scopes in all cases and skip if they are missing (the regular JWT)
  1. ZSS accepts a revoked token
  • it should call GW via ZaasClietn
  1. Zaas Client does not support PAT
  • to verify PAT through the Zaas Client is necessary to provide serviceId

Steps to Reproduce

  1. deploy Zowe with ZSS
  2. generate PAT without scope zss
  3. access an endpoint on ZSS
  4. endpoint is accessible

Expected behavior
The response code should be 401

Screenshots
If applicable, add screenshots to help explain your problem.

Logs
If applicable, add server logs collected at the time of your problem.

Details

  • Version and build number: [e.g. 0.4.4-SNAPSHOT build # 155]
  • Test environment: [either defined Zowe test environment: Marist (1, 2, 3), River, or your own environment: z/OS version and z/OSMF version]

API Catalog Web UI (in case of API Catalog issue):

  • OS: [e.g. macOS, Windows]
  • Browser [e.g. Chrome, Safari]
  • Version [e.g. 71.0.3578.98]

REST API client (in case of REST API issue):

  • Technology: [e.g. Spring Boot, Node.js]
  • OS: [e.g. Windows 10]

Additional context
Add any other context about the problem here.

Willingness to help
If you are willing to help with debugging and reproducing the problem or
with fixing the problem, please state your willingness to assist in the created issue.

https://github.com/zowe/api-layer/wiki/Issue-management
@pj892031 pj892031 added bug Verified defect in functionality new New issue that has not been worked on yet labels Feb 3, 2025
@EvaJavornicka EvaJavornicka added Priority: High and removed new New issue that has not been worked on yet labels Feb 5, 2025
@EvaJavornicka EvaJavornicka moved this from New to Unplanned Bugs in API Mediation Layer Backlog Management Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Verified defect in functionality Priority: High
Projects
API Mediation Layer Backlog Management
Status: Unplanned Bugs
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pj892031 @EvaJavornicka