Enforce OAuth Access Token Scope requirements
nynymike opened this issue · 3 comments
Ideally, when I design an endpoint, I should be able to say how each method is authorized. In OAuth, we use scopes to determine the extent of access granted for an access_token ("AT"). The AT may be a value token: a JWT requiring signature validation (and auto-fetching of the current keys). The AT may also be a reference token: a guess-resistent identifier requiring OAuth token introspection. In either case, the AT should contain the scope claim, which is a space-delimited list of scopes (normally in URI format).
In the example below, the swagger doc is saying that to do a GET on the persistence endpoint, you need to present a token with either the properties.read OR properties.write scope
/jans-config-api/api/v1/jans-auth-server/config/persistence:
get:
summary: Returns persistence type configured for Jans authorization server.
description: Returns persistence type configured for Jans authorization server.
operationId: get-properties-persistence
security:
- oauth2: [properties.read, properties.write]
For extra credit, you can consider how the scopes are combined. Can you use AND instead of OR for a given endpoint? For more complex booleans, you could support JSONLogic syntax.
Hello nynymike,
Unfortunately, right now we don't support in-depth security requirements analysis (token validation, scope checks and etc.). API-Firewal just checks that you have an "Authorization" header without validation of its content. But we have some ideas regarding integration with OAuth services in the API-Firewall roadmap.
Could you please provide any details regarding OAuth provider you are using? It will help us to adjust our tasks.
Thanks.
I am CEO of Gluu, so of course we use Gluu Server 4.x. The upstream project is Janssen Auth-Server at the Linux Foundation.
this feature will be included in the next release