yorkie icon indicating copy to clipboard operation
yorkie copied to clipboard

Published 20 hours ago verified publisher icon yorkie-team

Add PermissionDenied error response to authorization webhook

Open dc7303 opened this issue 3 years ago • 4 comments

What would you like to be added: Add PermissionDenied response to Authorization webhook response error. I think it would be good to talk about the spec. issue starting point: https://github.com/yorkie-team/yorkie/pull/203#discussion_r662523173

Why is this needed: This is to distinguish between Unauthenticated and PermissionDenied responses.

dc7303 avatar Jul 02 '21 04:07 dc7303

@hackerwins Could I try this issue?

dc7303 avatar Aug 12 '21 05:08 dc7303

@dc7303 Of course!

hackerwins avatar Aug 12 '21 09:08 hackerwins

@hackerwins As I thought about this issue, I wondered if permission checks were the scope we should implement. Permissions will be managed by tokens by users according to specific rules.

What permissions should we check? Could you please elaborate a bit more on what you are thinking?

dc7303 avatar Oct 23 '21 09:10 dc7303

Both authentication and authorization checks should be performed by the external auth server.

In the case of Yorkie Server, there is a need to receive Unauthenticated and PermissionDenied responses from the auth server and send them to the client. If the token of the client is not authenticated, the client can retry the request after acquiring a new token. However, if the client doesn't have permission to the request, they cannot retry.

Currently, only the Unauthenticated status code is being passed from Yorkie server. There was a consideration of whether to explicitly pass PermissionDenied in the status code when the Auth server determines the lack of permissions.

hackerwins avatar Jun 10 '23 12:06 hackerwins