Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Correctly handle per-operation scopes when importing from OpenAPI 3 #4756

Merged

Conversation

diesieben07
Copy link
Contributor

@diesieben07 diesieben07 commented May 4, 2022

This fixes #4755.
I have also corrected the involved tests, as they were actually testing this wrong behavior.

changelog(Fixes): Fixed an issue with how OAuth2 scopes were handled when importing from OpenAPI 3 specs

Copy link
Member

@filfreire filfreire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@diesieben07 thank you for contributing this 😊 🙏

I noticed only after writing my comment on #4755 that you had opened a PR with a potential fix.

I wasn't aware that by the RFC we could send scopes space-delimited, so it was good to clear that app.

I just have one small comment bellow, let me know if you're up for doing the improvement, if not one of the members of team can help out and finish this PR when possible.

@@ -44,7 +44,7 @@
"authorizationUrl": "https://api.server.test/v1/auth",
"grantType": "authorization_code",
"redirectUrl": "{{ oauth2RedirectUrl }}",
"scope": "read:something write:something",
"scope": "",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@diesieben07 can you add 2 other endpoints where

  • we only define one of these two scopes
  • we define an entirely different scope (not read:something and write:something)?

Copy link
Contributor Author

@diesieben07 diesieben07 May 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the review.
I have a question about what you mean by "entirely different scope". Do you want a test that covers a Schema where an endpoint specifies a scope that is not listed in the security scheme? If so, that would technically not be a valid OpenAPI Schema anymore, if I understand the specification correctly. I can add a test for it, but the question is how such a scope should be handled:

  • Should it be ignored, since technically it is invalid here?
  • Should it be gracefully added to this endpoint anyways, even though it is not specified in the security scheme?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've now updated the test to test no scopes, only one scope as well as both scopes on the endpoint level.
Please let me know how to proceed regarding my question above.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@diesieben07 you are right, the spec would no longer be valid, and in theory in this case the authorization server would have to reply back with an invalid_scope according to spec.

The question becomes, do we want to allow folks to purposely setup invalid scopes in their specs for testing purposes... 🤷

For now the safest bet is probably the first option you mention: it should be ignored.

tagging @Kong/team-insomnia in case someone else might have another take on this.

@filfreire filfreire enabled auto-merge (squash) June 6, 2022 13:45
@filfreire filfreire merged commit 5b1ab1b into Kong:develop Jun 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Import from OpenAPI 3 does not correctly handle per-request scopes
2 participants