Conversation
klmz
force-pushed
the
add-authorizationscopes
branch
from
117f266 to
274470e
Compare
|
Ok. I must admit that I don't know how. But I'm guessing it had something to do with linting. Once I made sure |
klmz
force-pushed
the
add-authorizationscopes
branch
from
a72d3d7 to
f02b74d
Compare
Codecov Report
@@ Coverage Diff @@
## develop #917 +/- ##
===========================================
+ Coverage 94.5% 94.58% +0.08%
===========================================
Files 72 78 +6
Lines 3746 4269 +523
Branches 742 850 +108
===========================================
+ Hits 3540 4038 +498
- Misses 104 111 +7
- Partials 102 120 +18
Continue to review full report at Codecov.
|
|
@keetonian, sorry to ping you, would be possible to merge this? We are using a lambda to achieve the same and this will reduce errors on our side by a lot! |
Depends on how much you need this but you can pull this branch and run the transformation manually as described here: Dev guide If you ever worked with python and virtualenv you can have it done in minutes. |
|
@fyayc-ale @klmz Will review today. Thank you for pinging me. |
|
@klmz thanks! Looks like it's missing |
|
@brettstack I didn't do that because I tried to stay as close to the cloudformation spec. A default scope doesn't make a whole lot of sense to me. If it is default you can just as well leave the scope out I guess? Although I guess there are use cases where it could make sense. If you want most endpoints to be with a scope and just a couple without scopes. Or if you use the same token with different api's or something like that? Would like to hear you thoughts on this. That being said, I guess there is some use for it so I expect to have some time to add the api level scopes this week. |
|
Yes it's the scenario where you want most endpoints to have a certain configuration and you override the outliers. |
|
Lol. That was much more complex than I anticipated. I think I got the behavior down, but I need to write tests still and then check if I can refactor it a bit to make it more clear. I expect to have some time to finish this on Thursday! |
|
Thanks @eterjoost we'll review when it's all ready. 👍 |
brettstack
left a comment
brettstack
left a comment
There was a problem hiding this comment.
Looking good! Could you submit an example or update the existing Cognito example?
tests/translator/input/error_api_with_auth_with_default_scopes.yaml
Outdated
Show resolved
Hide resolved
|
I need some help with fixing the tests. Some tests are now failing, but it is very hard to see why in the output. Am I doing something wrong? Or is this how it works? Maybe there is a better way of using the tests instead of just running them all? |
|
It is an issue with the china and us-gov region. The output doesn't match the expected output, but I can't see what is different. |
|
@klmz ok, we can look at it, thanks for bringing it up! |
|
Hi All, This is a hugely important pull request and is great work by @klmz. Having the ability to use scopes within a SAM template is the only way to implement access tokens in an enterprise scenario. Can someone have a look, help @klmz to get to the end goal or provide some input to how we could fix this? Thanks in advance, Mike |
|
+1, This is a very important feature for implementing access_token and client_credentials grant type. |
|
+1 - the client_credentials flow actually requires a scope for authentication. |
|
Any progress on this issue?! |
|
@leantorres73 @louism517 I'm not familiar with those features, could you provide some more information about them? @Michael1d I resolved the merge conflicts locally, but had a couple of questions regarding this feature and the overall scope. Could you give some more information about access tokens and how you use/would like to use them? |
|
Hi @keetonian, Apologies for not get back to you sooner. In my scenario, I have API's that have many potential "clients" - think an SPA, an analytics ETL process, a B2B customer etc. I have created Cognito Application Clients that represent those use cases, assigning a single scope to each one. Therefore, I have the requirement to add one or more scopes selectively to serverless functions deployed by SAM. I hope that makes sense. On the standard CF AWS::ApiGateway::Method, there is a property for AuthorizationScopes and the same functionality is required here with a AWS::Serverless::Function in SAM. I also like the idea of being able to set default scopes on a AWS::Serverless::Api as discussed in here as well. Please let me know if you have any other questions or clarifications. |
keetonian
force-pushed
the
add-authorizationscopes
branch
from
3d40bd8 to
0c0523e
Compare
|
Just pushed up a few changes to fully support this feature. |
| Auth: | ||
| Authorizer: MyDefaultCognitoAuth | ||
| AuthorizationScopes: [] | ||
| CognitoDefaultAuythDefaultScopesNone: |
praneetap
left a comment
praneetap
left a comment
There was a problem hiding this comment.
Can you add a test with openapi to make sure the auth scopes get transformed into openapi correctly? Also try deploying it end to end.
|
Scopes match the Swagger/OpenApi spec: https://swagger.io/docs/specification/authentication/ |
|
No APIGW extensions for scopes, they use the same implementation: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-authorizer.html |
|
Implementation/deployment verified for scopes changes. |
12 participants
Issue #, if available:
#652
Description of changes:
This adds support for authorisation scopes to the SAM spec. It is a small hanges to the swagger translator that add authorization scopes per method.
Description of how you validated changes:
I have added an e2e test in the from of an example yaml file (
api_with_auth_with_scopes.yaml) with all usage options. I also added swagger specific tests totest_swagger.py.Checklist:
make prpassesBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.