Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ocelot forwards Route when userScopes contains Any from routeAllowedScopes, but docs says that it should contains all of them #1066

Open
papugamichal opened this issue Nov 28, 2019 · 1 comment · May be fixed by #1478
Open

Ocelot forwards Route when userScopes contains Any from routeAllowedScopes, but docs says that it should contains all of them #1066

papugamichal opened this issue Nov 28, 2019 · 1 comment · May be fixed by #1478
Assignees
@papugamichal
Labels
accepted Bug or feature would be accepted as a PR or is being worked on bug Identified as a potential bug proposal Proposal for a new functionality in Ocelot Winter'25 Winter 2025 release
Milestone
Winter'25

Comments

@papugamichal
Copy link

papugamichal commented Nov 28, 2019
edited by raman-m
Loading

Expected Behavior / New Feature

Allowed Scopes documentation says:

If you add scopes to AllowedScopes Ocelot will get all the user claims (from the token) of the type scope and make sure that the user has all of the scopes in the list.

This is a way to restrict access to a Route on a per scope basis.

ScopesAuthoriser | Line 36

public Response<bool> Authorise(ClaimsPrincipal claimsPrincipal, List<string> routeAllowedScopes)
{
    // ...
    var matchesScopes = routeAllowedScopes.Intersect(userScopes).ToList();
    // ...
}

Example:

Token contains Scope: "A"
Defined route AllowedScopes: "A", "B"

Ocelot should reject request to be fair with documentation.

Actual Behavior / Motivation for New Feature

Example

Token contains Scope: "A".
Defined route AllowedScopes: "A", "B"

Ocelot allow to pass request, even when token do not contains all required scopes!

Change proposal

Change:
var matchesScopes = routeAllowedScopes.Intersect(userScopes).ToList();
To:
var matchesScopes = routeAllowedScopes.All(e => userScopes.Contains(e));

Or, change misleading information in documentation.

Specifications

  • Version: 13.5.2, 19.0.2
  • Subsystem: ASP.NET Core 2.1, .NET 7
@mehyaa mehyaa linked a pull request May 31, 2021 that will close this issue
Open
@raman-m raman-m added bug Identified as a potential bug proposal Proposal for a new functionality in Ocelot needs feedback Issue is waiting on feedback before acceptance accepted Bug or feature would be accepted as a PR or is being worked on and removed needs feedback Issue is waiting on feedback before acceptance labels Aug 24, 2023
@raman-m
Copy link
Member

raman-m commented Aug 24, 2023

The issue has been accepted due to opened PR #1478

@raman-m raman-m linked a pull request Aug 24, 2023 that will close this issue
#913 #1066 ScopesAuthorizer refactoring #1478
Open
@raman-m raman-m changed the title Ocelot forward ReRoute when userScopes contains Any from routeAllowedScopes, but docs says that it should contains all of them Ocelot forwards Route when userScopes contains Any from routeAllowedScopes, but docs says that it should contains all of them Aug 24, 2023
@raman-m raman-m added the 2023 Annual 2023 release label Jun 15, 2024
@raman-m raman-m added this to the Annual 2023 milestone Jun 15, 2024
@raman-m raman-m added Oct'24 October 2024 release and removed 2023 Annual 2023 release labels Oct 9, 2024
@raman-m raman-m modified the milestones: Annual 2023, October'24 Oct 9, 2024
@raman-m raman-m added Winter'25 Winter 2025 release and removed Oct'24 October 2024 release labels Oct 26, 2024
@raman-m raman-m modified the milestones: October'24, Autumn'24 Oct 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@papugamichal papugamichal

Labels
accepted Bug or feature would be accepted as a PR or is being worked on bug Identified as a potential bug proposal Proposal for a new functionality in Ocelot Winter'25 Winter 2025 release
Projects
None yet
Milestone
Winter'25
Development

Successfully merging a pull request may close this issue.

#913 #1066 ScopesAuthorizer refactoring mehyaa/Ocelot
2 participants
@raman-m @papugamichal