feat: add scopes validator for logical evalulation

.schema/config.schema.json

@@ -201,6 +201,16 @@
  "default": "none",
  "description": "Sets the strategy validation algorithm."
  },
+ "scopesValidator": {
+ "title": "Scope Validator",
+ "type": "string",
+ "enum": [
+ "default",
+ "any"
+ ],
+ "default": "default",
+ "description": "Sets the strategy verifier algorithm. Default is logical AND and any serves as OR"
+ },
  "configErrorsRedirect": {
  "type": "object",
  "title": "HTTP Redirect Error Handler",
@@ -604,6 +614,9 @@
  "scope_strategy": {
  "$ref": "#/definitions/scopeStrategy"
  },
+ "scopes_validator": {
+ "$ref": "#/definitions/scopesValidator"
+ },
  "token_from": {
  "title": "Token From",
  "description": "The location of the token.\n If not configured, the token will be received from a default location - 'Authorization' header.\n One and only one location (header or query) must be specified.",
@@ -712,6 +725,9 @@
  "scope_strategy": {
  "$ref": "#/definitions/scopeStrategy"
  },
+ "scopes_validator": {
+ "$ref": "#/definitions/scopesValidator"
+ },
  "pre_authorization": {
  "title": "Pre-Authorization",
  "description": "Enable pre-authorization in cases where the OAuth 2.0 Token Introspection endpoint is protected by OAuth 2.0 Bearer Tokens that can be retrieved using the OAuth 2.0 Client Credentials grant.",

credentials/scopes_logical_validator.go

@@ -0,0 +1,28 @@
+package credentials
+
+import (
+ "github.com/ory/herodot"
+ "github.com/pkg/errors"
+)
+
+type ScopesValidator func(scopeResult map[string]bool) error
+
+func DefaultValidation(scopeResult map[string]bool) error {
+ for sc, result := range scopeResult {
+ if !result {
+ return errors.WithStack(herodot.ErrInternalServerError.WithReasonf(`JSON Web Token is missing required scope "%s".`, sc))
+ }
+ }
+
+ return nil
+}
+
+func AnyValidation(scopeResult map[string]bool) error {
+ for _, result := range scopeResult {
+ if result {
+ return nil
+ }
+ }
+
+ return errors.WithStack(herodot.ErrInternalServerError.WithReasonf(`JSON Web Token is missing required scope`))
+}

credentials/verifier.go

@@ -25,10 +25,11 @@ type VerifierRegistry interface {
 }
 
 type ValidationContext struct {
- Algorithms []string
- Issuers []string
- Audiences []string
- ScopeStrategy fosite.ScopeStrategy
- Scope []string
- KeyURLs []url.URL
+ Algorithms []string
+ Issuers []string
+ Audiences []string
+ ScopeStrategy fosite.ScopeStrategy
+ ScopesValidator ScopesValidator
+ Scope []string
+ KeyURLs []url.URL
 }

credentials/verifier_default.go

@@ -120,11 +120,16 @@ func (v *VerifierDefault) Verify(
  claims["scp"] = s
 
  if r.ScopeStrategy != nil {
+ scopeResult := make(map[string]bool, len(r.Scope))
+
  for _, sc := range r.Scope {
- if !r.ScopeStrategy(s, sc) {
- return nil, herodot.ErrUnauthorized.WithReasonf(`JSON Web Token is missing required scope "%s".`, sc)
- }
+ scopeResult[sc] = r.ScopeStrategy(s, sc)
+ }
+
+ if err := r.ScopesValidator(scopeResult); err != nil {
+ return nil, err
  }
+
  } else {
  if len(r.Scope) > 0 {
  return nil, errors.WithStack(helper.ErrRuleFeatureDisabled.WithReason("Scope validation was requested but scope strategy is set to \"none\"."))

credentials/verifier_default_test.go

@@ -46,12 +46,13 @@ func TestVerifierDefault(t *testing.T) {
  {
  d: "should pass because JWT is valid",
  c: &ValidationContext{
- Algorithms: []string{"HS256"},
- Audiences: []string{"aud-1", "aud-2"},
- Issuers: []string{"iss-1", "iss-2"},
- Scope: []string{"scope-1", "scope-2"},
- KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
- ScopeStrategy: fosite.ExactScopeStrategy,
+ Algorithms: []string{"HS256"},
+ Audiences: []string{"aud-1", "aud-2"},
+ Issuers: []string{"iss-1", "iss-2"},
+ Scope: []string{"scope-1", "scope-2"},
+ KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
+ ScopeStrategy: fosite.ExactScopeStrategy,
+ ScopesValidator: DefaultValidation,
  },
  token: sign(jwt.MapClaims{
  "sub": "sub",
@@ -68,15 +69,69 @@ func TestVerifierDefault(t *testing.T) {
  "scp": []string{"scope-3", "scope-2", "scope-1"},
  },
  },
+ {
+ d: "should pass because one of scopes is valid",
+ c: &ValidationContext{
+ Algorithms: []string{"HS256"},
+ Audiences: []string{"aud-1", "aud-2"},
+ Issuers: []string{"iss-1", "iss-2"},
+ Scope: []string{"scope-1", "not-scope-2"},
+ KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
+ ScopeStrategy: fosite.ExactScopeStrategy,
+ ScopesValidator: AnyValidation,
+ },
+ token: sign(jwt.MapClaims{
+ "sub": "sub",
+ "exp": now.Add(time.Hour).Unix(),
+ "aud": []string{"aud-1", "aud-2"},
+ "iss": "iss-2",
+ "scope": []string{"scope-3", "scope-2", "scope-1"},
+ }, "file://../test/stub/jwks-hs.json"),
+ expectClaims: jwt.MapClaims{
+ "sub": "sub",
+ "exp": float64(now.Add(time.Hour).Unix()),
+ "aud": []interface{}{"aud-1", "aud-2"},
+ "iss": "iss-2",
+ "scp": []string{"scope-3", "scope-2", "scope-1"},
+ },
+ },
+ {
+ d: "should fail because one of scopes is invalid and validation is strict",
+ c: &ValidationContext{
+ Algorithms: []string{"HS256"},
+ Audiences: []string{"aud-1", "aud-2"},
+ Issuers: []string{"iss-1", "iss-2"},
+ Scope: []string{"scope-1", "not-scope-2"},
+ KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
+ ScopeStrategy: fosite.ExactScopeStrategy,
+ ScopesValidator: DefaultValidation,
+ },
+ token: sign(jwt.MapClaims{
+ "sub": "sub",
+ "exp": now.Add(time.Hour).Unix(),
+ "aud": []string{"aud-1", "aud-2"},
+ "iss": "iss-2",
+ "scope": []string{"scope-3", "scope-2", "scope-1"},
+ }, "file://../test/stub/jwks-hs.json"),
+ expectClaims: jwt.MapClaims{
+ "sub": "sub",
+ "exp": float64(now.Add(time.Hour).Unix()),
+ "aud": []interface{}{"aud-1", "aud-2"},
+ "iss": "iss-2",
+ "scp": []string{"scope-3", "scope-2", "scope-1"},
+ },
+ expectErr: true,
+ },
  {
  d: "should pass even when scope is a string",
  c: &ValidationContext{
- Algorithms: []string{"HS256"},
- Audiences: []string{"aud-1", "aud-2"},
- Issuers: []string{"iss-1", "iss-2"},
- Scope: []string{"scope-1", "scope-2"},
- KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
- ScopeStrategy: fosite.ExactScopeStrategy,
+ Algorithms: []string{"HS256"},
+ Audiences: []string{"aud-1", "aud-2"},
+ Issuers: []string{"iss-1", "iss-2"},
+ Scope: []string{"scope-1", "scope-2"},
+ KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
+ ScopeStrategy: fosite.ExactScopeStrategy,
+ ScopesValidator: DefaultValidation,
  },
  token: sign(jwt.MapClaims{
  "sub": "sub",
@@ -96,12 +151,13 @@ func TestVerifierDefault(t *testing.T) {
  {
  d: "should pass when scope is keyed as scp",
  c: &ValidationContext{
- Algorithms: []string{"HS256"},
- Audiences: []string{"aud-1", "aud-2"},
- Issuers: []string{"iss-1", "iss-2"},
- Scope: []string{"scope-1", "scope-2"},
- KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
- ScopeStrategy: fosite.ExactScopeStrategy,
+ Algorithms: []string{"HS256"},
+ Audiences: []string{"aud-1", "aud-2"},
+ Issuers: []string{"iss-1", "iss-2"},
+ Scope: []string{"scope-1", "scope-2"},
+ KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
+ ScopeStrategy: fosite.ExactScopeStrategy,
+ ScopesValidator: DefaultValidation,
  },
  token: sign(jwt.MapClaims{
  "sub": "sub",
@@ -121,12 +177,13 @@ func TestVerifierDefault(t *testing.T) {
  {
  d: "should pass when scope is keyed as scopes",
  c: &ValidationContext{
- Algorithms: []string{"HS256"},
- Audiences: []string{"aud-1", "aud-2"},
- Issuers: []string{"iss-1", "iss-2"},
- Scope: []string{"scope-1", "scope-2"},
- KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
- ScopeStrategy: fosite.ExactScopeStrategy,
+ Algorithms: []string{"HS256"},
+ Audiences: []string{"aud-1", "aud-2"},
+ Issuers: []string{"iss-1", "iss-2"},
+ Scope: []string{"scope-1", "scope-2"},
+ KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
+ ScopeStrategy: fosite.ExactScopeStrategy,
+ ScopesValidator: DefaultValidation,
  },
  token: sign(jwt.MapClaims{
  "sub": "sub",
@@ -164,12 +221,13 @@ func TestVerifierDefault(t *testing.T) {
  {
  d: "should fail when algorithm does not match",
  c: &ValidationContext{
- Algorithms: []string{"HS256"},
- Audiences: []string{"aud-1", "aud-2"},
- Issuers: []string{"iss-1", "iss-2"},
- Scope: []string{"scope-1", "scope-2"},
- KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-rsa-single.json")},
- ScopeStrategy: fosite.ExactScopeStrategy,
+ Algorithms: []string{"HS256"},
+ Audiences: []string{"aud-1", "aud-2"},
+ Issuers: []string{"iss-1", "iss-2"},
+ Scope: []string{"scope-1", "scope-2"},
+ KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-rsa-single.json")},
+ ScopeStrategy: fosite.ExactScopeStrategy,
+ ScopesValidator: DefaultValidation,
  },
  token: sign(jwt.MapClaims{
  "sub": "sub",
@@ -183,12 +241,13 @@ func TestVerifierDefault(t *testing.T) {
  {
  d: "should fail when audience mismatches",
  c: &ValidationContext{
- Algorithms: []string{"HS256"},
- Audiences: []string{"aud-1", "aud-2"},
- Issuers: []string{"iss-1", "iss-2"},
- Scope: []string{"scope-1", "scope-2"},
- KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
- ScopeStrategy: fosite.ExactScopeStrategy,
+ Algorithms: []string{"HS256"},
+ Audiences: []string{"aud-1", "aud-2"},
+ Issuers: []string{"iss-1", "iss-2"},
+ Scope: []string{"scope-1", "scope-2"},
+ KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
+ ScopeStrategy: fosite.ExactScopeStrategy,
+ ScopesValidator: DefaultValidation,
  },
  token: sign(jwt.MapClaims{
  "sub": "sub",
@@ -202,12 +261,13 @@ func TestVerifierDefault(t *testing.T) {
  {
  d: "should fail when issuer mismatches",
  c: &ValidationContext{
- Algorithms: []string{"HS256"},
- Audiences: []string{"aud-1", "aud-2"},
- Issuers: []string{"iss-1", "iss-2"},
- Scope: []string{"scope-1", "scope-2"},
- KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
- ScopeStrategy: fosite.ExactScopeStrategy,
+ Algorithms: []string{"HS256"},
+ Audiences: []string{"aud-1", "aud-2"},
+ Issuers: []string{"iss-1", "iss-2"},
+ Scope: []string{"scope-1", "scope-2"},
+ KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
+ ScopeStrategy: fosite.ExactScopeStrategy,
+ ScopesValidator: DefaultValidation,
  },
  token: sign(jwt.MapClaims{
  "sub": "sub",
@@ -221,12 +281,13 @@ func TestVerifierDefault(t *testing.T) {
  {
  d: "should fail when issuer mismatches",
  c: &ValidationContext{
- Algorithms: []string{"HS256"},
- Audiences: []string{"aud-1", "aud-2"},
- Issuers: []string{"iss-1", "iss-2"},
- Scope: []string{"scope-1", "scope-2"},
- KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
- ScopeStrategy: fosite.ExactScopeStrategy,
+ Algorithms: []string{"HS256"},
+ Audiences: []string{"aud-1", "aud-2"},
+ Issuers: []string{"iss-1", "iss-2"},
+ Scope: []string{"scope-1", "scope-2"},
+ KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
+ ScopeStrategy: fosite.ExactScopeStrategy,
+ ScopesValidator: DefaultValidation,
  },
  token: sign(jwt.MapClaims{
  "sub": "sub",
@@ -240,12 +301,13 @@ func TestVerifierDefault(t *testing.T) {
  {
  d: "should fail when expired",
  c: &ValidationContext{
- Algorithms: []string{"HS256"},
- Audiences: []string{"aud-1", "aud-2"},
- Issuers: []string{"iss-1", "iss-2"},
- Scope: []string{"scope-1", "scope-2"},
- KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
- ScopeStrategy: fosite.ExactScopeStrategy,
+ Algorithms: []string{"HS256"},
+ Audiences: []string{"aud-1", "aud-2"},
+ Issuers: []string{"iss-1", "iss-2"},
+ Scope: []string{"scope-1", "scope-2"},
+ KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
+ ScopeStrategy: fosite.ExactScopeStrategy,
+ ScopesValidator: DefaultValidation,
  },
  token: sign(jwt.MapClaims{
  "sub": "sub",
@@ -259,12 +321,13 @@ func TestVerifierDefault(t *testing.T) {
  {
  d: "should fail when nbf in future",
  c: &ValidationContext{
- Algorithms: []string{"HS256"},
- Audiences: []string{"aud-1", "aud-2"},
- Issuers: []string{"iss-1", "iss-2"},
- Scope: []string{"scope-1", "scope-2"},
- KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
- ScopeStrategy: fosite.ExactScopeStrategy,
+ Algorithms: []string{"HS256"},
+ Audiences: []string{"aud-1", "aud-2"},
+ Issuers: []string{"iss-1", "iss-2"},
+ Scope: []string{"scope-1", "scope-2"},
+ KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
+ ScopeStrategy: fosite.ExactScopeStrategy,
+ ScopesValidator: DefaultValidation,
  },
  token: sign(jwt.MapClaims{
  "sub": "sub",
@@ -279,12 +342,13 @@ func TestVerifierDefault(t *testing.T) {
  {
  d: "should fail when iat in future",
  c: &ValidationContext{
- Algorithms: []string{"HS256"},
- Audiences: []string{"aud-1", "aud-2"},
- Issuers: []string{"iss-1", "iss-2"},
- Scope: []string{"scope-1", "scope-2"},
- KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
- ScopeStrategy: fosite.ExactScopeStrategy,
+ Algorithms: []string{"HS256"},
+ Audiences: []string{"aud-1", "aud-2"},
+ Issuers: []string{"iss-1", "iss-2"},
+ Scope: []string{"scope-1", "scope-2"},
+ KeyURLs: []url.URL{*x.ParseURLOrPanic("file://../test/stub/jwks-hs.json")},
+ ScopeStrategy: fosite.ExactScopeStrategy,
+ ScopesValidator: DefaultValidation,
  },
  token: sign(jwt.MapClaims{
  "sub": "sub",

driver/configuration/provider.go

@@ -5,6 +5,7 @@ package configuration
 
 import (
  "encoding/json"
+ "github.com/ory/oathkeeper/credentials"
  "net/url"
  "testing"
  "time"
@@ -70,6 +71,7 @@ type Provider interface {
  PrometheusHideRequestPaths() bool
  PrometheusCollapseRequestPaths() bool
 
+ ToScopesValidation(value string, key string) credentials.ScopesValidator
  ToScopeStrategy(value string, key string) fosite.ScopeStrategy
  ParseURLs(sources []string) ([]url.URL, error)
  JSONWebKeyURLs() []string