Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(config-api): comprehensive handling of oauth2 permission #2882

Closed
pujavs opened this issue Nov 7, 2022 · 1 comment
Closed

feat(config-api): comprehensive handling of oauth2 permission #2882

pujavs opened this issue Nov 7, 2022 · 1 comment
Assignees
@pujavs
Labels
comp-jans-config-api Component affected by issue or PR enhancement kind-feature Issue or PR is a new feature request

Comments

@pujavs
Copy link
Contributor

pujavs commented Nov 7, 2022
edited
Loading

config-api endpoints are ouath2 protected. This requirement is to make the authorization comprehensive.

  1. If a user has write permission then should be able to read data as well. That is no need for explicit read permission
  2. Need super permission to execute endpoints
  • https://jans.io/oauth/config/read-all should be able to able to execute read for all endpoints
  • https://jans.io/oauth/config/write-all should be able to execute add/update/delete for all endpoints
  1. Functionality wise group permission to enable excecution of all endpoints

Implementation

Metadata:
An endpoint can be annotated with endpoint specific scope, feature level scope(Group) or admin level scope using @ProtectedApi wherein;

  • scope -> endpoint specific granular permissions
  • groupScopes -> feature level permissions
  • superScopes -> Admin level permissions

Logic:

  • superScopes: If the access token has any of super scopes then no need to check group or granular scopes
  • groupScopes: If the access token does not have any of the applicable super scopes then check if the access token has group level scopes. If any of the group level scope present then no need to check group or granular scopes.
  • scope: If access token does not have any of the super or group level scopes then check if all the applicable endpoint specific granular scopes are present.

Example:
OpenID Client GET endpoint annotation
@ProtectedApi(scopes = { "https://jans.io/oauth/config/openid/clients.readonly" }, groupScopes = { "https://jans.io/oauth/config/openid/openid-write", "https://jans.io/oauth/config/openid-read" }, superScopes = { "https://jans.io/oauth/config/read-all")
@pujavs pujavs added comp-jans-config-api Component affected by issue or PR enhancement labels Nov 7, 2022
@pujavs pujavs self-assigned this Nov 7, 2022
@mo-auto mo-auto added the kind-feature Issue or PR is a new feature request label Nov 7, 2022
@moabu moabu added this to the 1.0.5 milestone Nov 14, 2022
This was referenced Nov 28, 2022
Closed
Merged
@pujavs
Copy link
Contributor Author

pujavs commented Dec 1, 2022

Implemented via PR 3126

@pujavs pujavs closed this as completed Dec 1, 2022
@duttarnab duttarnab mentioned this issue Jan 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pujavs pujavs

Labels
comp-jans-config-api Component affected by issue or PR enhancement kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pujavs @moabu @mo-auto