When "proxies" are set in configuration file, oauth does not check proxy-less products
francesco38 opened this issue · 2 comments
For some context, please review this post in the community forum.
We are using "proxy-less" products as we're running EMG across multiple organizations that does not share proxy definition. The flag oauth.productOnly added in EMG v.2.5.4 is a key enabler for our use case. Path based access control (i.e. only considering the Resource Paths of products) works generally fine for us so we can do access control using proxy less products and the oauth plugin.
However, we discovered that as soon as we restrict a given EMG instance to a particular set of proxies (using the proxies configuration element), oauth do not work as expected anymore. Especially, if a client app is granted access to any proxy-less product, this client app can access any of our EMG resources. Once again, if we leave proxies unset, resource control works as expected cross- proxies.
We run EMG co-located with selected APIs on Kubernetes pods. Our services runs with a target path set to "localhost:XXX", where localhost is the pod that runs EMG. Only EMG is exposed at pod level. A particular EMG instance can only access the APIs that runs on its pod, so using proxies is mandatory for us.
We need therefore oauth-plugin drive, product based access control to work the same no matter if we use proxies or not - provided we operate with oauth.productOnly = true.
I am creating this in this repository since this is where the configuration oauth.product_to_api_resource array is created. This array is empty when we define proxy- less products, which prevents oauth from working correctly.
Should this be closed?
@ChrisDillinger I believe this has been fixed (This was discussed with @srinandan who reimplemented the code directly as I was chasing approval to contribute to google code repo). Yes, this can be closed.