Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] ScopeAuthorizationHandler only checks first scope claim #1707

Closed
agilenut opened this issue Apr 14, 2022 · 1 comment · Fixed by #1711
Closed

[Bug] ScopeAuthorizationHandler only checks first scope claim #1707

agilenut opened this issue Apr 14, 2022 · 1 comment · Fixed by #1711
Labels
bug Something isn't working P1
Milestone
1.24.0

Comments

@agilenut
Copy link

Which version of Microsoft Identity Web are you using?
1.23.1

Where is the issue?

  • Web API
    • [x ] Protected web APIs (validating tokens)

Is this a new or an existing app?
This is a new app or an experiment.

Context

Using Okta, scopes are separated into multiple claims. Imo, this is the correct representation once parsed and in the claims collection (not space delimited).

When the ScopeAuthorizationHandler runs, it only checks for the first claim. If the first claim is one of the claims listed in the RequiredScope attribute, then the request is authorized. If the first claim is not in the RequiredScope attribute, then it is not authorized.

Expected behavior
All scopes (in all scope claims) should be tested such that, if a scope in any of the claims is listed in the RequiredScope attribute, then the request is authorized; otherwise, it should not be authorized.

Actual behavior
Only the first claim is tested. So, the authorization becomes based on the claim order which is incorrect.

Possible solution
Replace this

with

          var scopeClaims = context.User.FindAll(ClaimConstants.Scp)
              .Union(context.User.FindAll(ClaimConstants.Scope))
              .ToList();

          if (!scopeClaims.Any()) {
              return Task.CompletedTask;
          }

          var hasScope = scopeClaims.SelectMany(s => s.Value.Split(' ')).Intersect(scopes).Any();

          if (hasScope) {
              context.Succeed(requirement);
              return Task.CompletedTask;
          }
@jmprieur jmprieur added bug Something isn't working P1 labels Apr 19, 2022
@jmprieur jmprieur mentioned this issue Apr 19, 2022
Merged
@jennyf19 jennyf19 added this to the 1.24.0 milestone Apr 19, 2022
@jennyf19
Copy link
Collaborator

Released in 1.24.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working P1
Projects
None yet
Milestone
1.24.0
Development

Successfully merging a pull request may close this issue.

fix for 1707 AzureAD/microsoft-identity-web
3 participants
@agilenut @jmprieur @jennyf19