-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[management] Better select plan based on subscription #7824
Comments
Before this change, when dealing with multiple plans based on the same security type, the policy is applied prior to retrieve the associated subscription that needs to checked (same security type -> JWT and Oauth2 are both based on Authorization bearer token). This is not optimal because, in some circumstances, it can select a subscription that is not linked to the plan that has been executed. This change refactor the plan selection workflow by reordering the different steps. For JWT and Oauth2 plans, subscription has to be searched with client_id, to see if a plan can handle the incoming request. For Oauth2, client_id is retreived from token introspection, so we can't check subscription outside of policy chain execution, where the auth server is called. For JWT, client_id is always present in incoming request token claims. So we can fetch the subscription prior of policy chain execution. JWT are now processed prior to Oauth2 plans. Having multiple Oauth2 plans on the same API will still require selection rules to apply to right one. gravitee-io/issues#7824
@RubenMMSantos @LiliaEn, a simple test case for this ticket :
Additionnally, we have to check non-regression of all that is about JWT / Oauth2 plans and their selection rules. |
Before this change, when dealing with multiple plans based on the same security type, the policy is applied prior to retrieve the associated subscription that needs to checked (same security type -> JWT and Oauth2 are both based on Authorization bearer token). This is not optimal because, in some circumstances, it can select a subscription that is not linked to the plan that has been executed. This change refactor the plan selection workflow by reordering the different steps. For JWT and Oauth2 plans, subscription has to be searched with client_id, to see if a plan can handle the incoming request. For Oauth2, client_id is retreived from token introspection, so we can't check subscription outside of policy chain execution, where the auth server is called. For JWT, client_id is always present in incoming request token claims. So we can fetch the subscription prior of policy chain execution. JWT are now processed prior to Oauth2 plans. Having multiple Oauth2 plans on the same API will still require selection rules to apply to right one. gravitee-io/issues#7824
The following scenarios were covered:
|
Oauth2_plan+ Oauth2_plan scenario not working as expected, 1st plan is always overwriting the 2nd one in terms of behaviour (in terms of policies and selection_rules). |
Since #6528, selection of the subscription during the security chain execution is not perfect.
When dealing with multiple plans based on the same security type, the policy is applied prior to retrieve the associated subscription that needs to checked (same security type -> JWT and Oauth2 are both based on Authorization bearer token).
This is not optimal because, in some circumstances, it can select a subscription that is not linked to the plan that has been executed.
We must rethink the way plans are selected and executed by reordering the different steps:
The text was updated successfully, but these errors were encountered: