Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Punctuations not allowed in oauth2 scopes when calling /authorize or /token endpoints #658

Closed
t1tcrucible opened this issue Oct 27, 2015 · 3 comments
Closed

Punctuations not allowed in oauth2 scopes when calling /authorize or /token endpoints #658

t1tcrucible opened this issue Oct 27, 2015 · 3 comments
Labels
task/bug

Comments

@t1tcrucible
Copy link

When defining scopes for OAuth2, I can provide dotted-strings, for example: someurl.profile.read, someurl.profile.write. Those will be persisted correctly in cassandra.

schermafdruk 2015-10-27 05 25 57

When later I want to request the /oauth2/authorize or /oauth2/token endpoint with those "dotted"-scopes. Everything after the "." will be gone and thus an error is returned (400-bad request). I tried to use other characters, and they all react the same. Preferably I would like to be able doing that, and if for some reason this is not ok, then it's better to prevent defining those kind of scopes at the beginning. The reason why we want to do that is, following Google's practice, we want to combine scopes of different services on the same consent page. Thus we need to have the ability to prefix a scope.
@thibaultcha thibaultcha added task/feature Requests for new features in Kong area/plugins task/bug and removed task/feature Requests for new features in Kong labels Oct 28, 2015
@t1tcrucible
Copy link
Author

Hi Thibault, any idea on the priority for this bug?

regards,
Michallis

@t1tcrucible
Copy link
Author

In oauth2 - access.lua i've found that when processing requests:
scope = table.concat(scopes, " ")

later when retrieving the scope from the request param, the following code gets executed:
local function retrieve_scopes(parameters, conf)
local scope = parameters[SCOPE]
local scopes = {}
if conf.scopes and scope then
for v in scope:gmatch("%w+") do
if not utils.table_contains(conf.scopes, v) then
return false, {[ERROR] = "invalid_scope", error_description = """..v.."" is an invalid "..SCOPE}
else
table.insert(scopes, v)
end
end
elseif not scope and conf.mandatory_scope then
return false, {[ERROR] = "invalid_scope", error_description = "You must specify a "..SCOPE}
end

return true, scopes
end

That means that a scope param with for example:
org.read,org.write

is being split up as:

for i in string.gmatch("org.read,org.write", "%w+") do print(i) end
org
read
org
write

instead of
org.read
org.write

can I change that using a split on ","? And send a pull request?

@subnetmarco subnetmarco mentioned this issue Nov 25, 2015
Merged
@subnetmarco
Copy link
Member

@t1tcrucible this issue has been fixed and will be available in the next release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
task/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@subnetmarco @thibaultcha @t1tcrucible