fix: requested scope ignored in refresh flow #718
Conversation
james-d-elliott
changed the title
james-d-elliott
force-pushed
the
fix-refresh-scope-narrowing
branch
from
5eb68a9
to
f35f7d0
Compare
aeneasr
force-pushed
the
fix-refresh-scope-narrowing
branch
from
f35f7d0
to
cda9c24
Compare
|
Regaring the following sequence;
I can confirm with my high level testing that it fails at step 3. |
|
So looking here: fosite/handler/oauth2/flow_refresh.go Line 64 in cda9c24 The original request we're looking up is the RT Session. Thus I think IF we want to preserve the original scope we just have to ensure the new RT session has the same scope as the original (granted), and the AT session has the narrowed scope. We just have to decide if that's desirable. With the current code including that addition would result in a second refresh without the The issue is I'm not entirely sure how we'd accomplish that, looking at the code it looks like the RT session and AT sessions share their scope. Maybe we have to have a new value to store the scope specific to the RT session, which defaults to the scope of the AT session so that it's appropriately handled during the If we did add this functionality the following flow sequence would be accurate (with a client which is authorized to grant scope
|
To me that sounds very, very reasonable! |
|
@aeneasr I'm fairly sure of the most effective way to achieve this, however you probably know this code base better than anyone so maybe I've missed something or you have an alternative way that is preferable. This is the critical path in making this functional I believe: fosite/handler/oauth2/flow_refresh.go Lines 190 to 199 in cda9c24 We need to ensure the I think the best way to achieve this is to add an interface which extends // RefreshTokenAccessRequester is an extended AccessRequester implementation that allows preserving
// the original scopes between refresh access requests allowing an relying-party to narrow the scope of
// the access token and then broaden them again to the resource owners original grant.
type RefreshTokenAccessRequester interface {
// GetRefreshTokenRequestedScopes returns the request's scopes specifically for the refresh token.
GetRefreshTokenRequestedScopes() (scopes Arguments)
// SetRefreshTokenRequestedScopes sets the request's scopes specifically for the refresh token.
SetRefreshTokenRequestedScopes(scopes Arguments)
// GetRefreshTokenGrantedScopes returns all granted scopes specifically for the refresh token.
GetRefreshTokenGrantedScopes() (grantedScopes Arguments)
// SetRefreshTokenRequestedScopes sets the request's scopes specifically for the refresh token.
SetRefreshTokenRequestedScopes(scopes Arguments)
AccessRequester
}The key thing being that if that interface is not implemented that people would not have this functionality. |
|
I think that could work! We probably need a few more tests to ensure that this works without getting confused in the process in longer refresh token chains :) |
james-d-elliott
force-pushed
the
fix-refresh-scope-narrowing
branch
2 times, most recently
from
08cde0e
to
008a527
Compare
aeneasr
force-pushed
the
fix-refresh-scope-narrowing
branch
from
a1f76a6
to
d6e19a1
Compare
aeneasr
force-pushed
the
fix-refresh-scope-narrowing
branch
from
d6e19a1
to
6103588
Compare
There was a problem hiding this comment.
@james-d-elliott Thanks for this PR! I had a couple of observations that you might consider.
handler/oauth2/flow_refresh.go
Outdated
| if err = c.TokenRevocationStorage.CreateRefreshTokenSession(ctx, refreshSignature, storeReq); err != nil { | ||
| return err | ||
| if rtRequest, ok := requester.(fosite.RefreshTokenAccessRequester); ok { | ||
| rtStoreReq := requester.Sanitize([]string{}).(*fosite.Request) |
There was a problem hiding this comment.
@james-d-elliott Wondering if this negates the idea of having a Requester interface at all. I understand why you do it though.
A better approach might be to introduce an interface that allows you to invoke SetGrantedScopes and SetRequestedScopes?
There was a problem hiding this comment.
Yeah, the only intent behind this was to avoid breaking any other implementation. I'm completely fine with which ever approach most fits with how ory is using this however.
There was a problem hiding this comment.
In the spirit of preserving the interfaces, I suggest a new interface be added that is able to mutate scopes in the requester.
There was a problem hiding this comment.
This has been addressed in a use specific way I believe.
james-d-elliott
force-pushed
the
fix-refresh-scope-narrowing
branch
from
ee7e5e8
to
f13c026
Compare
This addresses an issue where the clients requested scope is ignored during the refresh flow preventing a refresh token from granting an access token with a more narrow scope. It is critical to note that it is completely ignored, and previous behaviour only issued the same scope as originally granted. An access request which requests a broader scope is equally ignored and it has been thoroughly tested to ensure this cannot occur in HEAD. See https://www.rfc-editor.org/rfc/rfc6749#section-6 for more information.
james-d-elliott
force-pushed
the
fix-refresh-scope-narrowing
branch
2 times, most recently
from
9c10f44
to
33e6bfc
Compare
| // IgnoreRequestedScopeNotInOriginalGrant determines the action to take when the requested scopes in the refresh | ||
| // flow were not originally granted. If false which is the default the handler will automatically return an error. | ||
| // If true the handler will filter out / ignore the scopes which were not originally granted. | ||
| IgnoreRequestedScopeNotInOriginalGrant bool |
There was a problem hiding this comment.
Side note when looking at this. I have a per-client implementation of this utilizing an interface which passes the same tests. Maybe this is more desirable?
There was a problem hiding this comment.
Why is this not made through a new config interface?
There was a problem hiding this comment.
To me it looks like currently all config is done through config interface, even if it is not meant for hot reloading?
| if c.IgnoreRequestedScopeNotInOriginalGrant { | ||
| // Skips addressing point 2 of the text in RFC6749 Section 6 and instead just prevents the scope | ||
| // requested from being granted. | ||
| continue | ||
| } else { | ||
| // Addresses point 2 of the text in RFC6749 Section 6. | ||
| return errorsx.WithStack(fosite.ErrInvalidScope.WithHintf("The requested scope '%s' was not originally granted by the resource owner.", scope)) | ||
| } |
There was a problem hiding this comment.
Side note when looking at this. I have a per-client implementation of this utilizing an interface which passes the same tests. Maybe this is more desirable?
There was a problem hiding this comment.
What would be the use case of having this per-client?
There was a problem hiding this comment.
The only way I'll personally use it is per-client where the default is to enforce the spec and you make an exception on a per-client basis. I'm happy enough to maintain my own entire implementation however.
james-d-elliott
force-pushed
the
fix-refresh-scope-narrowing
branch
from
33e6bfc
to
c472cd8
Compare
| if err = c.TokenRevocationStorage.CreateRefreshTokenSession(ctx, refreshSignature, storeReq); err != nil { | ||
| return err | ||
| if rtRequest, ok := requester.(fosite.RefreshTokenAccessRequester); ok { | ||
| rtStoreReq := rtRequest.SanitizeRestoreRefreshTokenOriginalRequester(originalRequest) |
There was a problem hiding this comment.
What is this change about? Why it is necessary?
There was a problem hiding this comment.
Because the scopes of the current request are for the access token, not the refresh token. The scopes of the original granted refresh token must be restored to make it possible to meet the strict requirements of the spec:
If a new refresh token is issued, the refresh token scope MUST be identical to that of the refresh token included by the client in the request.
There was a problem hiding this comment.
No, I mean, my question is why you have two cases here. It looks like you added RefreshTokenAccessRequester for backwards compatibility? But it feels to me that if you do not implement RefreshTokenAccessRequester then you get wrong behavior? Not sure if we should keep the old behavior at all?
Also, I am not sure that an extra method is already needed here? Sanitize returns a clone of requester to begin with? And you then call just:
ar.SetID(requester.GetID())
ar.SetRequestedScopes(requester.GetRequestedScopes())
ar.SetGrantedScopes(requester.GetGrantedScopes())
So why not just call originalRequest.Sanitize(nil) and then those three calls above, here, at this point? Without a method?
Probably I am missing something, I just checked very quickly this.
There was a problem hiding this comment.
An AccessRequester doesn't have SetGranted* receivers as part of the implementation. So a new receiver will be needed regardless. The question is just about what solution is going to lead to the least harmful outcome.
Adding those receivers to the AccessRequester interface seems like a poor choice as it isn't used now but could potentially lead to implementers making harmful decisions in this stage of the relevant flows in my opinion.
As far as the other I brought it up with aeneasr I believe so really up to an ory preference (he may have actually asked for it but I don't recall specifics). I personally don't have one myself in either direction.
There was a problem hiding this comment.
It has GrantScope? Isn't this enough? You loop over all granted scopes and call GrantScope?
There was a problem hiding this comment.
I see the same being done currently in the code:
request.SetID(originalRequest.GetID())
request.SetSession(originalRequest.GetSession().Clone())
request.SetRequestedScopes(originalRequest.GetRequestedScopes())
request.SetRequestedAudience(originalRequest.GetRequestedAudience())
for _, scope := range originalRequest.GetGrantedScopes() {
if !c.Config.GetScopeStrategy(ctx)(request.GetClient().GetScopes(), scope) {
return errorsx.WithStack(fosite.ErrInvalidScope.WithHintf("The OAuth 2.0 Client is not allowed to request scope '%s'.", scope))
}
request.GrantScope(scope)
}
...
for _, audience := range originalRequest.GetGrantedAudience() {
request.GrantAudience(audience)
}
There was a problem hiding this comment.
I see this was a previous comment here: #718 (comment)
There was a problem hiding this comment.
So to seems there is already some code to clone a requester. Maybe that should be just moved out into utility function and reused here for refresh token as well?
(And again sorry if I am missing something.)
This addresses an issue where the clients requested scope is ignored during the refresh flow preventing a refresh token from granting an access token with a more narrow scope. It is critical to note that it is completely ignored, and previous behaviour only issued the same scope as originally granted. An access request which requests a broader scope is equally ignored and it has been thoroughly tested to ensure this cannot occur in HEAD. See https://www.rfc-editor.org/rfc/rfc6749#section-6 for more information.
Related Issue or Design Document
Fixes #696
Checklist
If this pull request addresses a security vulnerability,
I confirm that I got approval (please contact security@ory.sh) from the maintainers to push the changes.
Further comments