Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make scope optional in token request for client_credentials #71

Open
ndr-brt opened this issue Jan 13, 2023 · 1 comment
Open

Make scope optional in token request for client_credentials #71

ndr-brt opened this issue Jan 13, 2023 · 1 comment

Comments

@ndr-brt
Copy link

ndr-brt commented Jan 13, 2023

Currently the scope parameter is mandatory in the /token endpoint, if not passed a "access_denied" is returned.

Anyway, according to the OAuth2 client_credentials access token documentation that parameter is optional.

I also noticed that passing an empty scope causes a SyntaxError
@bellebaum
Copy link
Contributor

Hey,

According to RFC 6749, Section 3.3:

If the client omits the scope parameter when requesting
authorization, the authorization server MUST either process the
request using a pre-defined default value or fail the request
indicating an invalid scope. The authorization server SHOULD
document its scope requirements and default value (if defined).

Omejdn's documentation specifies that

The scopes granted to any successful client request are a subset of the requested scopes.
Omejdn does not provide a default set of scopes issued to any particular client.

The syntax error is of course a bug :) Thanks for spotting it. The input validation will soon be improved.

Now onto the design space of OAuth:
The reason why we chose to not provide default scopes was that

  • we did not often see clients which required a predefined scope, and
  • it would have made the configuration more complex, and less OAuth-y (Note that there is no distinction between default scopes and allowed scopes in the OAuth client metadata.

If you do need default scopes in your usecase, then here are two plugins (untested) for Omejdn which you can deploy according to the documentation.

Solution 1: Global default scope

This plugin reads the plugin configuration to determine a set of default scopes

class ConfigDefaultScopesPlugin
  def apply_default(bind)
    params = bind.eval("params")
    if params[:scope].nil? || params[:scope].empty?
      params[:scope] = PluginLoader.configuration('config_default_scopes').join(' ')
    end
  end
  PluginLoader.register 'TOKEN_STARTED', method(:apply_default)
end

Save it as plugins/config_default_scopes/config_default_scopes.rb and load a plugin configuration file like:

plugins:
  config_default_scopes:
    - default_scope_1
    - default_scope_2

Solution 2: Per-Client default scope

This plugin looks at the client metadata claim default_scopes to determine a set of default scopes

class ClientDefaultScopesPlugin
  def apply_default(bind)
    params = bind.eval("params")
    client = bind.local_variable_get(:client)
    if (params[:scope].nil? || params[:scope].empty?) && client.metadata.key?('default_scope')
      params[:scope] = [*client.metadata['default_scope']].join(' ')
    end
  end
  PluginLoader.register 'TOKEN_STARTED', method(:apply_default)
end

Save it as plugins/client_default_scopes/client_default_scopes.rb and load a plugin configuration file like:

plugins:
  client_default_scopes:

Of course, you can always customize these plugins to your needs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ndr-brt @bellebaum and others