Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow custom data to be sent inside access tokens #1602

Merged
merged 2 commits into from
Feb 5, 2023
Merged

Allow custom data to be sent inside access tokens #1602

merged 2 commits into from
Feb 5, 2023

Conversation

JeremyC-za
Copy link
Contributor

@JeremyC-za JeremyC-za commented Nov 25, 2022

Summary

I've added a new config option - custom_access_token_fields. By default, this will be an empty array and have no effect, and when in use, it will be an array of symbols. This array of symbols will then be permitted parameters keys when authorising and granting access to an application. A developer can then configure their OAuth consent screen to allow custom data to be submitted during authorisation. This custom data will then be saved to the Access Grant, and will be included in any subsequently generated access tokens.

Example Use Case

You have a multi-tenanted platform, where our example user has access to tenant_1, tenant_2, and tenant_3. The example user would like to grant an OAuth application access to their data, but only for tenant_2, and not the others. Using this new config option, the developer of the platform can specify that a tenant_id will be submitted when granting access - custom_access_token_fields [:tenant_id]. The developer can then add a tenant_id column to the oauth_access_grants and oauth_access_tokens database tables, and then add a tenant select dropdown to their OAuth consent screen, allowing the tenant_id to be selected and submitted and saved. This tenant_id is then included in access tokens. When receiving a request using one of these access tokens, then developer can add measures to check that the requested resource belongs to the tenant for which the access token was created.

@guardrails
Copy link

guardrails bot commented Nov 25, 2022

⚠️ We detected 1 security issue in this pull request:

Insecure Use of Language/Framework API (1)
Docs Details
💡 Title: User Controlled Method Invocation, Severity: Medium

More info on how to fix Insecure Use of Language/Framework API in Ruby.


👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

@JeremyC-za
Copy link
Contributor Author

@nbulaj let me know what you think about these changes. I'm not sure about the codeclimate issue - seems like the code will be worse if I try to refactor that 🤷‍♂️

@nbulaj
Copy link
Member

nbulaj commented Dec 1, 2022

Thanks @JeremyC-za , will check a little bit later, don't have enough time. I like the idea, but I have to think if it could be done with current implementation or we still need some changes to make it possible

@nbulaj
Copy link
Member

nbulaj commented Jan 10, 2023

OK, I've checked the changes. I'm afraid of some broken ORM and other extensions (like openid connect) while we changed a few internal class initializers. Maybe we should consider another way of doing it, I'll think more about it.

@jonathansimmons
Copy link

Beyond just adding a thumbs up, I'll say this would be a huge feature addition allowing us to prioritize the user experience in multi-tenant setups.

Happy to discuss or contribute, but I'm not sure I understand the doorkeeper DSL and flows enough yet.

@ashkulz
Copy link

ashkulz commented Jan 19, 2023

@nbulaj can you elaborate on what exactly would break for other extensions?

@nbulaj
Copy link
Member

nbulaj commented Feb 1, 2023

Actually all the ORM extensions @ashkulz . Maybe more, have to be tested with doorkeeper-openid_connect as well (as it's also patches some Doorkeeper internals)

@nbulaj
Copy link
Member

nbulaj commented Feb 1, 2023

@JeremyC-za could you please rebase you branch on top of current main one ? Thanks 🙇

lib/doorkeeper/oauth/authorization_code_request.rb Outdated Show resolved Hide resolved
lib/doorkeeper/oauth/base_request.rb Outdated Show resolved Hide resolved
lib/doorkeeper/config.rb Outdated Show resolved Hide resolved
@JeremyC-za
Copy link
Contributor Author

@nbulaj I've rebased and actioned your feedback. Let me know if there's anything else I can do.

Copy link
Member

@nbulaj nbulaj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍
Thanks!

@nbulaj nbulaj merged commit 8436928 into doorkeeper-gem:main Feb 5, 2023
@ashkulz
Copy link

ashkulz commented Feb 6, 2023

Thanks for merging this and doing a followup PR (#1634), @nbulaj!

@ashkulz ashkulz deleted the pre_auth_extension branch February 6, 2023 03:21
@ashkulz
Copy link

ashkulz commented Feb 22, 2023

@nbulaj can you publish a release to RubyGems?

@nbulaj
Copy link
Member

nbulaj commented Feb 22, 2023

Released with 5.6.5

@raivil
Copy link

raivil commented Mar 8, 2023

@JeremyC-za @nbulaj
I've tried adding this new feature and found one issue with rails migrations. Added to #1642

stanhu added a commit to stanhu/doorkeeper-openid_connect that referenced this pull request Apr 13, 2023
doorkeeper-gem/doorkeeper#1602 added custom
fields, and the tests need to be adjusted to expect the call to
`custom_access_token_attributes` for `preauth`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants