Comments (7)
aeneasr
commented on May 22, 2024
Yeah, the scope field should be configurable in oathkeeper. This is the second time this came up!
from oathkeeper.
ProMPT120
commented on May 22, 2024
Was going to prepare a PR about this (and already modified line 132 for internal use). According to the RFC and in practice multiple IdP such as Okta, Microsoft and even hydra use the scp field to specify the oauth2 scope to be validated. Do we need to pass the scope field as an environment variable, in order not to break the current use with "scope" ? It is a pretty big deal to differ from the RFC as mentionned http://self-issued.info/docs/draft-ietf-oauth-token-exchange-03.html#scopes and some big jwt implementation providers (https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens, OKTA access token scp https://developer.okta.com/docs/api/resources/oidc).
from oathkeeper.
aeneasr
commented on May 22, 2024
Hm, I think we could probably default to scp and have a configuration setting in the route which sets the key, for example:
"authenticators": [{
"handler": "oauth2_client_credentials",
"config": {
"required_scope": ["scope-a", "scope-b"],
"scope_keys": ["scp", "scope"]
}
}],
What do you think about that?
from oathkeeper.
ProMPT120
commented on May 22, 2024
Handler : "jwt" in our usecase, but this fix clearly allows for multiple scope headers including "scp" as you mentionned earlier (if other people want to differ from ietf). Will you keep "scp" or "scope" as default one in order not to break previous oathkeeper implementations ?
from oathkeeper.
aeneasr
commented on May 22, 2024
Oh yeah right, I mixed that up - but I think the same configuration would work there too :) Regarding BC, that's a good question. I think it makes sense to default to something that is being used more commonly and have a BC break here. Would you be open to PR this?
from oathkeeper.
ProMPT120
commented on May 22, 2024
Done on default values and test cases. Working on scope_keys feature.
from oathkeeper.
ngrigoriev
commented on May 22, 2024
+1 - I have just hit this issue. It is a bit ironic that ORY Oathkeeper is not compatible with the tokens issued by ORY Hydra. I've been building the prototype with Hydra, Ambassador and Oathkeeper and ended up having this problem "Token is missing required scope...". Digged the code and found exactly that problem.
from oathkeeper.
Related Issues (20)
- `strip_path` strips the prefix from the final upstream request, not the initial request HOT 2
- The ability to pass oauth scopes to the application layer without having to write checks on every route. HOT 2
- Allow for easily matching rules using path prefixes HOT 7
- Regex path matching isn't working. HOT 10
- Oathkeeper duplicates CORS headers HOT 3
- X-Forwarded headers missing from oauth2-client-credentials authenticator request on v.0.40.3, breaking hydra TLS termination HOT 1
- Authenticator: Bearer_token w. "query_parameter" selector consumes request body
- Observed memory leak in v0.40.3 HOT 4
- Configure JWT authenticator not to logging sensitive data
- Allow/deny `remote(_json)` authorizers depending response content
- Allow API key pre-authorization in oauth2_introspection authenticator HOT 2
- "any" matching option for "required_scope" in JWT authenticator HOT 1
- Docs wrong for `bearer_token` Subject default location
- upstream reference closed: github.com/GoogleContainerTools/distroless/issues/1342
- Authorizer "remote" throws exception "invalid Read on closed Body" if request body is present in request HOT 13
- Basic Authorization header result in Unauthorized when using `anonymous` authenticator handler
- Oathkeeper does not support X-Forwarded headers properly HOT 3
- Reference to .MatchContext.RegexpCaptureGroups doesn't render in access rules authenticator config
- Decision API is not respecting the token_from config
- Outdated OTEL dependencies prevent import
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oathkeeper.