Multiple clients and scopes

[Natim]

f? @rfk @vladikoff

[vladikoff]

Wow! The Speed! 🚤

[Natim]

Wow! The Speed! 🚤

To be honest I didn't expect it too be wrapped up so quickly but we paired with @leplatrem 🙌

[leplatrem]

parse_resources() might not be the best name

[leplatrem]

REIFY_KEY ?

[leplatrem]

unused

[leplatrem]

Don't add suffix if authentication failed, or no specific client name is configured

[Natim]

Is it a comment you want to add?

[leplatrem]

Yes for the return user_id below

[leplatrem]

nit: plural vs singular

[leplatrem]

We might want to warn no?

[leplatrem]

no safety check here?

[rfk]

Is this adding additional principals, beyond the userid?

[Natim]

Yes

[leplatrem]

I think this could be clearer with comments or intermediary variables

[leplatrem]

AssertNotIn("33") ?

[leplatrem]

if settings is not an ordered dict I don't think it makes sense

[leplatrem]

• Update README / Documentation

[rfk]

The doc at [1] suggests this should have an "fxa:" prefix, like "fxa:5998e2e2e81c40bdad6d08ac2773bf61-lockbox".

[1] https://docs.google.com/document/d/19Tg5AyRdHDP7z_J6kWM-JgiO6tB6FmUuEXUweENYZq8/edit?ts=5a155487#

[Natim]

Yes this will be added by kinto.

[rfk]

It's not clear to me whether this is doing what you intend. What if the scope routing here was something like:

{
  "profile https://identity.mozilla.com/app/notes": "notes",
  "profile https://identity.mozilla.com/app/lockbox": "lockbox",
}

Then it seems to me that a token with "profile https://identity.mozilla.com/app/lockbox" would also match the set-intersection check above for "profile https://identity.mozilla.com/app/notes", because they both contain the "profile" scope. Is that the intended behaviour?

Or, if the keys in _fxa_oauth_scope_routing are only ever intended to be a single scope like "https://identity.mozilla.com/app/notes" rather than a list of scopes, maybe we should explicitly error out rather than doing set(x.split()) and so-on here.

On a side note: there's a lot of string splitting and parsing being done here on each request, I wonder if it would make sense to parse the scopes into a set or frozenset during config loading to make the checking here quicker.

[Natim]

Yes I need to add a few tests for that.

[rfk]

This mixing of client names with other config parameters seems kinda fragile to me. What if a future version of this library introduces a new config parameter, that happens to share a name with a client in my config?

How would it look if, instead, we used something like "fxa-oauth.clients.lockbox.required_scope" in order to ensure there can't be confusion between the client names and other config names?

[leplatrem]

Instead of in that case, I would say something like Depending on the requested scopes, Kinto Fxa will assign a user id or another (using suffix)

[leplatrem]

fxa:{user_id}-notes ?

[leplatrem]

you can still use the fxa:{user_id} principal

[leplatrem]

👍

[leplatrem]

logged in?

[leplatrem]

Yes for the return user_id below

[leplatrem]

scopes

[leplatrem]

Maybe we could declare routing_scopes outside the loop.
Plus we could iterate on it above instead of request.registry._fxa_oauth_scope_routing.items()

[leplatrem]

nit: use intermediary variable to have a something like if len(intersecting_scopes) > 1

[Natim]

Tested and configured in the dev instance:

    "user": {
        "bucket": "159e598f-3c2b-6d93-9df9-74a334657c9e", 
        "id": "fxa:6ce43a4a28a74cb99b27243035c7dd55-notes", 
        "principals": [
            "fxa:6ce43a4a28a74cb99b27243035c7dd55-notes", 
            "system.Everyone", 
            "fxa:6ce43a4a28a74cb99b27243035c7dd55", 
            "system.Authenticated"
        ]
    }