astm-utm/Protocol

Investigate multiple scope specification

Closed this issue · 0 comments

BenjaminPelletier commented

Currently, we map "roles" in the standard to "scopes" of authorization. The result is that sometimes it is appropriate for more than one role to be able to access an endpoint (for instance, making reports to the DSS). Currently, we list multiple scopes for these endpoints, however this may be unintentionally requiring all listed scopes per OpenAPI 3.0. We may need to change from, e.g.:

security:
  - Authority:
      - utm.constraint_management
      - utm.constraint_consumption
      - utm.strategic_coordination

to

security:
  - Authority:
      - utm.constraint_management
  - Authority:
      - utm.constraint_consumption
  - Authority:
      - utm.strategic_coordination