kong icon indicating copy to clipboard operation
kong copied to clipboard
Published 4 weeks ago verified publisher icon Kong

add scope validation for token request

Open liyangau opened this issue 3 years ago • 1 comments

add scope validation for token request

liyangau avatar Aug 25 '22 01:08 liyangau

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Aug 25 '22 01:08 CLAassistant

@liyangau Perhaps it doesn't need to validate the scope again against another global oauth2 plugin.

If a code was issued by a global(global_credentials=true) oauth2 plugin A, and then was changed to an access_token by another global(global_credentials=true) oauth2 plugin B. The scope has already been validated at the code issuing step by A plugin, so I don't think it needs to validate again against another global oauth2 plugin.

A valid access_token can access multiple global oauth2 plugins, despite the access_token scope does not match the hitting plugin's scope. Therefore, I think another scope checking seems unnecessary. What do you think? :-)

vm-001 avatar Dec 17 '22 09:12 vm-001