"any" matching option for "required_scope" in JWT authenticator
damianpietruszewski opened this issue · 2 comments
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Context and scope
Currently all scopes in required_scope
in JWT authenticator are required to be matched by token scopes.
Example of a match:
"required_scope": ["scope1", "scope2"]
token scopes: "scope1 scope2"
We would like an option so any (at least one) match would be enough.
Example of a match:
"required_scope": ["scope1", "scope2"]
token scopes: "scope1"
We have started a discussion about it in #1038.
Goals and non-goals
Goals:
- "any" matching option of
required_scope
Non-goals:
- Complex matching rules of
required_scope
consisting of mix of logicalAND
s andOR
s
The design
We propose a new JWT authenticator configuration - scope_match_multiplicity
.
scope_match_multiplicity
will control how many matches of required_scope
are required. Supported values for scope_match_multiplicity
: all
, any
.
scope_match_multiplicity
should be optional and the option all
should be its default as it reflects current logic.
all
scope match multiplicity option requires all scopes fromrequired_scope
to be matched by token scopes.
Example of a match:
"required_scope": ["scope1", "scope2"]
token scopes: "scope1 scope2"any
scope match multiplicity option requires at least one scope fromrequired_scope
to be matched by token scopes.
Example of a match:
"required_scope": ["scope1", "scope2"]
token scopes: "scope1"
APIs
No response
Data storage
No response
Code and pseudo-code
No response
Degree of constraint
No response
Alternatives considered
- Complex matching rules of
required_scope
consisting of mix of logicalAND
s andOR
s
- for someone that needs only "OR" or only "AND" matching this will introduce unnecessary complexity
- it may require different format of
required_scope
- Merging
scope_strategy
andscope_match_multiplicity
into one value.
scope_strategy
andscope_match_multiplicity
control different matters- this config can be used in various combinations so there will be need for a const for each combination e.g. exact_all, exact_any
- scope_strategy values are extracted to a separate lib and probably are used in many different apps which we will affect with our changes
- A separate field
any_scope
similar torequired_scope
for scopes that will require at least one match instead ofscope_match_multiplicity
.
- each
scope_match_multiplicity
option has to be implemented as a newx_scope
field
very useful