Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ocelot forwards Route when userScopes contains Any from routeAllowedScopes, but docs says that it should contains all of them #1066

Open
papugamichal opened this issue Nov 28, 2019 · 1 comment · May be fixed by #1478
Open

Ocelot forwards Route when userScopes contains Any from routeAllowedScopes, but docs says that it should contains all of them #1066

papugamichal opened this issue Nov 28, 2019 · 1 comment · May be fixed by #1478
Assignees
@papugamichal
Labels
accepted Bug or feature would be accepted as a PR or is being worked on bug Identified as a potential bug proposal Proposal for a new functionality in Ocelot

Comments

@papugamichal
Copy link

papugamichal commented Nov 28, 2019
edited by raman-m

Expected Behavior / New Feature

Allowed Scopes documentation says:

If you add scopes to AllowedScopes Ocelot will get all the user claims (from the token) of the type scope and make sure that the user has all of the scopes in the list.

This is a way to restrict access to a Route on a per scope basis.

ScopesAuthoriser | Line 36

public Response<bool> Authorise(ClaimsPrincipal claimsPrincipal, List<string> routeAllowedScopes)
{
    // ...
    var matchesScopes = routeAllowedScopes.Intersect(userScopes).ToList();
    // ...
}

Example:

Token contains Scope: "A"
Defined route AllowedScopes: "A", "B"

Ocelot should reject request to be fair with documentation.

Actual Behavior / Motivation for New Feature

Example

Token contains Scope: "A".
Defined route AllowedScopes: "A", "B"

Ocelot allow to pass request, even when token do not contains all required scopes!

Change proposal

Change:
var matchesScopes = routeAllowedScopes.Intersect(userScopes).ToList();
To:
var matchesScopes = routeAllowedScopes.All(e => userScopes.Contains(e));

Or, change misleading information in documentation.

Specifications

  • Version: 13.5.2, 19.0.2
  • Subsystem: ASP.NET Core 2.1, .NET 7
@mehyaa mehyaa linked a pull request May 31, 2021 that will close this issue
Open
@raman-m raman-m added bug Identified as a potential bug proposal Proposal for a new functionality in Ocelot needs feedback Issue is waiting on feedback before acceptance accepted Bug or feature would be accepted as a PR or is being worked on and removed needs feedback Issue is waiting on feedback before acceptance labels Aug 24, 2023
@raman-m
Copy link
Member

raman-m commented Aug 24, 2023

The issue has been accepted due to opened PR #1478

@raman-m raman-m linked a pull request Aug 24, 2023 that will close this issue
#913 #1066 ScopesAuthorizer refactoring #1478
Open
@raman-m raman-m changed the title Ocelot forward ReRoute when userScopes contains Any from routeAllowedScopes, but docs says that it should contains all of them Ocelot forwards Route when userScopes contains Any from routeAllowedScopes, but docs says that it should contains all of them Aug 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@papugamichal papugamichal

Labels
accepted Bug or feature would be accepted as a PR or is being worked on bug Identified as a potential bug proposal Proposal for a new functionality in Ocelot
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

#913 #1066 ScopesAuthorizer refactoring mehyaa/Ocelot
2 participants
@raman-m @papugamichal