uaa icon indicating copy to clipboard operation
uaa copied to clipboard

Published 20 hours ago verified publisher icon cloudfoundry

introspect endpoint don't follow rfc7662

Open IIDarkKnightII opened this issue 4 years ago • 4 comments

SECURITY NOTICE: If you have found a security problem in the UAA, please do not file a public github issue. Instead, please send an email to [email protected]

Thanks for taking the time to file an issue. You'll minimize back and forth and help us help you more effectively by answering all of the following questions as specifically and completely as you can.

What version of UAA are you running?

http://docs.cloudfoundry.org/api/uaa/version/74.15.0

What did you do?

Hit /introspect endpoint to fetch the scope.

What did you expect to see? What goal are you trying to achieve with the UAA?

According to RFC, the SCOPE should be a JSON String containing a space-separated list of scopes associated with the token. And this is how all the frameworks like Spring Security etc. and most of the major programming languages has built by following RFC.

RFC for Reference

"scope" : "scim.userids openid cloud_controller.read password.write cloud_controller.write

What did you see instead?

I get the scope as an array like below: "scope" : [ "scim.userids", "openid", "cloud_controller.read", "password.write", "cloud_controller.write" ]

IIDarkKnightII avatar Mar 06 '20 14:03 IIDarkKnightII

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/171670320

The labels on this github issue will be updated when the story is started.

cf-gitbot avatar Mar 06 '20 14:03 cf-gitbot

Thanks for bringing this to our attention @IIDarkKnightII - our Product Managers are looking into this and we'll update with our next steps, hopefully very soon!

joshuatcasey avatar Mar 09 '20 17:03 joshuatcasey

Is there any update on this? We're currently blocked on this, as we're trying to integrate UAA with Kafka (which uses KeyCloak - which expects the scope to be a single string). I appreciate there's a backwards-compatibility issue here, but could it be added with a flag to switch between the two formats? cc @joshuatcasey

DanSalt avatar Aug 10 '20 12:08 DanSalt

Hi @DanSalt backwards compatibility is the kicker. This issue isn't currently a priority for us, but we'd be open to a PR. If you wanted to put together a proposal describing how the flag would work and how you'd implement this feature we'd be happy to discuss it.

shamus avatar Aug 12 '20 00:08 shamus