spring-authorization-server icon indicating copy to clipboard operation
spring-authorization-server copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Consider a lenient scope validation strategy in OAuth2ClientCredentialsAuthenticationProvider

Open yonyes opened this issue 2 years ago • 1 comments

Expected Behavior

When a token request includes scopes that part of them aren't permitted, return the new token with only the permitted scopes

Current Behavior

When a token request includes scopes that part of them aren't permitted, it raises an internal exception, and the request answer is 400: { "error": "invalid_scope" }

Context

It's not a rare scenario that permissions of clients are changed and the clients themselves are not always updated immediately (or at all). It makes sense to generate the token with the scopes it allowed instead of failing the request.

The relevant code is in the OAuth2ClientCredentialsAuthenticationProvider.java

for (String requestedScope : clientCredentialsAuthentication.getScopes()) { if (!registeredClient.getScopes().contains(requestedScope)) { throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_SCOPE); } }

yonyes avatar Sep 06 '22 09:09 yonyes

@yonyes

Section 3.2.2.1 Access Token Scope states the following:

The authorization server MAY fully or partially ignore the scope requested by the client, based on the authorization server policy or the resource owner's instructions.

Based on this, we'll consider a more lenient validation strategy.

jgrandja avatar Sep 13 '22 20:09 jgrandja

We should consider adding OAuth2ClientCredentialsAuthenticationProvider.setAuthenticationValidator(Consumer<OAuth2ClientCredentialsAuthenticationContext> authenticationValidator), which would allow a consuming application to override the default scope validation.

The "authentication validator" feature exists in OAuth2AuthorizationCodeRequestAuthenticationProvider. See example.

jgrandja avatar Nov 18 '22 20:11 jgrandja

I want to take this issue, @jgrandja

I have a question.

When a token request includes scopes that part of them aren't permitted and a custom lenient scope validation is used, OAuth2AuthorizationCodeRequestAuthenticationProvider can generate token with scope containing unpermitted. So How about generating token with only permitted scopes & requested scopes by default?

appchemist avatar Dec 11 '22 14:12 appchemist

Thanks for your interest @appchemist.

As soon as this issue is scheduled for a milestone, I'll reach out to you.

We'll be planning the features for the 1.1 release soon but I'm not sure yet if this will go into that release.

jgrandja avatar Dec 13 '22 15:12 jgrandja

I'd like to upvote this request, we have a use case similar to this one with prefix scopes that we'd like to support and it would be relatively simple with a more lenient or configurable scope validation strategy. At the moment we're having to create quite an unpleasant workaround. I think a configurable strategy would be preferable

adamleantech avatar Sep 29 '23 08:09 adamleantech

@adamleantech Please upvote the main issue comment.

jgrandja avatar Sep 29 '23 13:09 jgrandja

This is now resolved via gh-1377.

The default scope validation can now be customized using OAuth2ClientCredentialsAuthenticationProvider.setAuthenticationValidator(Consumer<OAuth2ClientCredentialsAuthenticationContext> authenticationValidator).

jgrandja avatar Jan 15 '24 20:01 jgrandja