unstaged

client/client.go

@@ -40,7 +40,7 @@ type Client struct {
 	// described in Section 3.3 of OAuth 2.0 [RFC6749]) that the client
 	// can use when requesting access tokens.
 	//
-	// Pattern: ([a-zA-Z0-9\.]+\s)+
+	// Pattern: ([a-zA-Z0-9\.\*]+\s)+
 	Scope string `json:"scope" gorethink:"scope"`
 
 	// Owner is a string identifying the owner of the OAuth 2.0 Client.
@@ -87,7 +87,7 @@ func (c *Client) GetHashedSecret() []byte {
 }
 
 func (c *Client) GetScopes() fosite.Arguments {
-	return fosite.Arguments(strings.Split(c.Scope, " "))
+	return fosite.Arguments(strings.Fields(c.Scope))
 }
 
 func (c *Client) GetGrantTypes() fosite.Arguments {

cmd/server/helper_client.go

@@ -41,7 +41,7 @@ func (h *Handler) createRootIfNewInstall(c *config.Config) {
 		Name:          "This temporary client is generated by hydra and is granted all of hydra's administrative privileges. It must be removed when everything is set up.",
 		ResponseTypes: []string{"id_token", "code", "token"},
 		GrantTypes:    []string{"implicit", "refresh_token", "authorization_code", "password", "client_credentials"},
-		Scope:         "hydra.* hydra hydra.*.* openid offline",
+		Scope:         "hydra.* openid offline hydra",
 		RedirectURIs:  []string{"http://localhost:4445/callback"},
 		Secret:        secret,
 	}

config/config.go

@@ -9,10 +9,8 @@ import (
 	"net"
 	"net/http"
 	"net/url"
-	//"os"
 	"strings"
 	"time"
-
 	"os"
 
 	"github.com/ory/fosite"
@@ -72,6 +70,7 @@ type Config struct {
 
 func (c *Config) GetScopeStrategy() fosite.ScopeStrategy {
 	if c.ScopeStrategy == "DEPRECATED_HIERARCHICAL_SCOPE_STRATEGY" {
+		c.GetLogger().Warn("Using deprecated hierarchical scope strategy, consider upgrading to wildcards.")
 		return fosite.HierarchicScopeStrategy
 	}
 
@@ -308,7 +307,7 @@ func (c *Config) OAuth2Client(cmd *cobra.Command) *http.Client {
 		ClientID:     c.ClientID,
 		ClientSecret: c.ClientSecret,
 		TokenURL:     pkg.JoinURLStrings(c.ClusterURL, "/oauth2/token"),
-		Scopes:       []string{"hydra"},
+		Scopes:       []string{"hydra", "hydra.*"},
 	}
 
 	fakeTlsTermination, _ := cmd.Flags().GetBool("fake-tls-termination")

glide.yaml

@@ -25,7 +25,7 @@ import:
 - package: github.com/oleiade/reflections
   version: 1.0.0
 - package: github.com/ory/fosite
-  version: 0.11.1
+  version: 0.11.2
   subpackages:
   - compose
   - handler/oauth2

oauth2/handler.go

@@ -5,7 +5,6 @@ import (
 	"net"
 	"net/http"
 	"net/url"
-
 	"strings"
 	"time"
 

oauth2/introspector_test.go

@@ -5,7 +5,6 @@ import (
 	"net/url"
 	"testing"
 	"time"
-
 	"context"
 	"fmt"
 
@@ -34,9 +33,10 @@ func init() {
 	now = time.Now().Round(time.Second)
 	tokens = pkg.Tokens(3)
 	fositeStore = storage.NewExampleStore()
+	fositeStore.Clients["my-client"].Scopes = []string{"fosite", "openid", "photos", "offline", "foo.*"}
 	r := httprouter.New()
 	serv := &oauth2.Handler{
-		ScopeStrategy: fosite.HierarchicScopeStrategy,
+		ScopeStrategy: fosite.WildcardScopeStrategy,
 		OAuth2: compose.Compose(
 			fc,
 			fositeStore,
@@ -55,23 +55,23 @@ func init() {
 	ts = httptest.NewServer(r)
 
 	ar := fosite.NewAccessRequest(oauth2.NewSession("alice"))
-	ar.GrantedScopes = fosite.Arguments{"core"}
+	ar.GrantedScopes = fosite.Arguments{"core", "foo.*"}
 	ar.RequestedAt = now
 	ar.Client = &fosite.DefaultClient{ID: "siri"}
 	ar.Session.SetExpiresAt(fosite.AccessToken, now.Add(time.Hour))
 	ar.Session.(*oauth2.Session).Extra = map[string]interface{}{"foo": "bar"}
 	fositeStore.CreateAccessTokenSession(nil, tokens[0][0], ar)
 
 	ar2 := fosite.NewAccessRequest(oauth2.NewSession("siri"))
-	ar2.GrantedScopes = fosite.Arguments{"core"}
+	ar2.GrantedScopes = fosite.Arguments{"core", "foo.*"}
 	ar2.RequestedAt = now
 	ar2.Session.(*oauth2.Session).Extra = map[string]interface{}{"foo": "bar"}
 	ar2.Session.SetExpiresAt(fosite.AccessToken, now.Add(time.Hour))
 	ar2.Client = &fosite.DefaultClient{ID: "siri"}
 	fositeStore.CreateAccessTokenSession(nil, tokens[1][0], ar2)
 
 	ar3 := fosite.NewAccessRequest(oauth2.NewSession("siri"))
-	ar3.GrantedScopes = fosite.Arguments{"core"}
+	ar3.GrantedScopes = fosite.Arguments{"core", "foo.*"}
 	ar3.RequestedAt = now
 	ar3.Session.(*oauth2.Session).Extra = map[string]interface{}{"foo": "bar"}
 	ar3.Client = &fosite.DefaultClient{ID: "doesnt-exist"}
@@ -102,6 +102,7 @@ func TestIntrospect(t *testing.T) {
 		for _, c := range []struct {
 			token     string
 			expectErr bool
+			scopes []string
 			assert    func(*oauth2.Introspection)
 		}{
 			{
@@ -123,6 +124,7 @@ func TestIntrospect(t *testing.T) {
 			{
 				token:     tokens[0][1],
 				expectErr: false,
+				scopes: []string{"foo.bar"},
 				assert: func(c *oauth2.Introspection) {
 					assert.Equal(t, "alice", c.Subject)
 					//assert.Equal(t, "tests", c.Issuer)
@@ -134,7 +136,7 @@ func TestIntrospect(t *testing.T) {
 			},
 		} {
 			t.Run(fmt.Sprintf("case=%s", k), func(t *testing.T) {
-				ctx, err := w.IntrospectToken(context.Background(), c.token)
+				ctx, err := w.IntrospectToken(context.Background(), c.token, c.scopes...)
 				if c.expectErr {
 					require.Error(t, err)
 				} else {

pkg/test_helpers.go

@@ -1,17 +1,13 @@
 package pkg
 
 import (
-	"testing"
 	"time"
 
 	"github.com/ory/fosite/handler/oauth2"
 	"github.com/ory/fosite/storage"
 	"github.com/ory/fosite/token/hmac"
 	"github.com/ory/ladon"
 	"github.com/ory/ladon/manager/memory"
-	"github.com/pkg/errors"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )
 
 var HMACStrategy = &oauth2.HMACSHAStrategy{

warden/warden_local.go

@@ -56,6 +56,7 @@ func (w *LocalWarden) TokenAllowed(ctx context.Context, token string, a *firewal
 	if err != nil {
 		w.L.WithFields(logrus.Fields{
 			"request": a,
+			"scopes":   scopes,
 			"reason":  "Token is expired, malformed or missing",
 		}).WithError(err).Infof("Access denied")
 		return nil, err