Support for spontaneous scopes

[nynymike]

There is a requirement for payments to send a transaction id as part of the scope. For example:
pis:4685456787 (where 4685456787 is the id of a certain resource)
or
sign:MmU5OTc1ODU0ODk3MmE4ZTg4MjJhZDQ3ZmExMDE3ZmY3MmYwNmYzZmY2YTAxNjg1MWY0NWMzOTg3MzJiYzUwYw==,RXhhbXBsZSBDb250cmFjdA==

Where the first parameter has a base64url encoded has value, second parameter after, is a label of the document to be signed.

The client should be configured to accept "spontaneous scopes"--as normally any non-registered scope should be rejected.

We also need to add a "spontaneous scope interception script", and map this script in the client configuration.

[yuriyz]

It is good idea to design it while we are re-factoring scope handling within this ticket #756.

[qbert2k]

@yuriyz @nynymike
Please provide more details about the requirement.

[yuriyz]

I will take over this feature. Re-scheduling it on 4.1 since due date of 4.0 code freeze was yesterday.

[altexy]

@yuriyz @nynymike
Please provide more details about the requirement.

I agree that the requirements are not fully detailed.

One point:

As I understand from discussion here #1133 (comment)
we plan to persist spontaneous scopes.

If it used as transaction part in a real-life system the number of registered scoped would increase indefinitely, IMO it is unacceptable.
We should think about the TTL of spontaneous scopes.

[yuriyz]

Right, in client config we should give ability to specify lifetime of spontaneous scopes (if no lifetime specified then indefinite -> scope will not be cleaned up).

[altexy]

Right, in client config we should give ability to specify lifetime of spontaneous scopes (if no lifetime specified then indefinite -> scope will not be cleaned up).

IMO we should have configurable default TTL instead of indefinite.

[yuriyz]

Global oxauth configuration:

• spontaneousScopeLifetime - spontaneous scope lifetime

Client :

• allow_spontaneous_scopes - boolean, whether to allow spontaneous scopes for client
• spontaneous_scopes - list of spontaneous scopes (regexp against which validation is performed)

New scope type : spontaneous.

[yuriyz]

Docs added GluuFederation/docs-ce-prod@45011ef

[yuriyz]

Implemented in master (4.2)

[altexy]

@yuriyz at which time the "spontaneous scope interception script" is invoked?

• when token with spontaneous scope is requested from GS?
• or when access token is introspected?

[yuriyz]

It is invoked during token request.

[altexy]

thanks

[sahilIT2020]

allowSpontaneousScopes and spontaneousScopes are not saved in client settings and reverted to default/blank after hitting save.

[yuriyz]

I will take over

[yuriyz]

I've checked it on latest 4.2. It perfectly works. Changes are saved (LDAP reflects changes as well as UI).