ory/oathkeeper

"any" matching option for "required_scope" in JWT authenticator

damianpietruszewski opened this issue · 2 comments

Preflight checklist

Ory Network Project

No response

Context and scope

Currently all scopes in required_scope in JWT authenticator are required to be matched by token scopes.

Example of a match:
"required_scope": ["scope1", "scope2"]
token scopes: "scope1 scope2"


We would like an option so any (at least one) match would be enough.

Example of a match:
"required_scope": ["scope1", "scope2"]
token scopes: "scope1"


We have started a discussion about it in #1038.

Goals and non-goals

Goals:

  • "any" matching option of required_scope

Non-goals:

  • Complex matching rules of required_scope consisting of mix of logical ANDs and ORs

The design

We propose a new JWT authenticator configuration - scope_match_multiplicity.

scope_match_multiplicity will control how many matches of required_scope are required. Supported values for scope_match_multiplicity: all , any.

scope_match_multiplicity should be optional and the option all should be its default as it reflects current logic.

  1. all scope match multiplicity option requires all scopes from required_scope to be matched by token scopes.
    Example of a match:
    "required_scope": ["scope1", "scope2"]
    token scopes: "scope1 scope2"
  2. any scope match multiplicity option requires at least one scope from required_scope to be matched by token scopes.
    Example of a match:
    "required_scope": ["scope1", "scope2"]
    token scopes: "scope1"

APIs

No response

Data storage

No response

Code and pseudo-code

No response

Degree of constraint

No response

Alternatives considered

  1. Complex matching rules of required_scope consisting of mix of logical ANDs and ORs
  • for someone that needs only "OR" or only "AND" matching this will introduce unnecessary complexity
  • it may require different format of required_scope
  1. Merging scope_strategy and scope_match_multiplicity into one value.
  • scope_strategy and scope_match_multiplicity control different matters
  • this config can be used in various combinations so there will be need for a const for each combination e.g. exact_all, exact_any
  • scope_strategy values are extracted to a separate lib and probably are used in many different apps which we will affect with our changes
  1. A separate field any_scope similar to required_scope for scopes that will require at least one match instead of scope_match_multiplicity.
  • each scope_match_multiplicity option has to be implemented as a new x_scope field

very useful