Skip to content

Vault: enforce JWT OAuth scope per JSON-RPC method#22314

Merged
prashantkumar1982 merged 5 commits intodevelopfrom
fix/vault-jwt-scope-method-auth
May 6, 2026
Merged

Vault: enforce JWT OAuth scope per JSON-RPC method#22314
prashantkumar1982 merged 5 commits intodevelopfrom
fix/vault-jwt-scope-method-auth

Conversation

@prashantkumar1982
Copy link
Copy Markdown
Contributor

@prashantkumar1982 prashantkumar1982 commented May 6, 2026
edited
Loading

Summary

Vault JWT path previously validated only request digest binding, not whether the token OAuth scope authorizes the requested JSON-RPC method.

Changes

  • Parse OAuth scopes from JWT scope (space-separated) and Auth0-style permissions array claims.
  • Enforce a fixed allowlist: create:secrets / update:secrets / delete:secrets / list:secrets mapped to vault.secrets.* methods. Fail closed on missing or non-matching scope.
  • System tests: mint JWTs with the scope derived from the request method.

@prashantkumar1982 prashantkumar1982 requested review from a team as code owners May 6, 2026 02:38
@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector Bot commented May 6, 2026

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@prashantkumar1982 prashantkumar1982 force-pushed the fix/vault-jwt-scope-method-auth branch from 4f8564d to 23fd54f Compare May 6, 2026 02:38
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 6, 2026

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

  • #added For any new functionality added.
  • #breaking_change For any functionality that requires manual action for the node to boot.
  • #bugfix For bug fixes.
  • #changed For any change to the existing functionality.
  • #db_update For any feature that introduces updates to database schema.
  • #deprecation_notice For any upcoming deprecation functionality.
  • #internal For changesets that need to be excluded from the final changelog.
  • #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
  • #removed For any functionality/config that is removed.
  • #updated For any functionality that is updated.
  • #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

@prashantkumar1982 @cursoragent
fix(vault): enforce JWT OAuth scope per JSON-RPC method
284135a 
Reject Vault JWT auth when scope/permissions do not match the requested
method (create/update/delete/list secrets). Keeps digest binding as
integrity control. Aligns with CRE OAuth scopes used by GraphQL.

Updates system-test JWT minting to include the correct scope per method.

Co-authored-by: Cursor <cursoragent@cursor.com>
@prashantkumar1982 prashantkumar1982 force-pushed the fix/vault-jwt-scope-method-auth branch from 23fd54f to 284135a Compare May 6, 2026 02:40
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 6, 2026
edited
Loading

✅ No conflicts with other open PRs targeting develop

@prashantkumar1982 prashantkumar1982 changed the title fix(vault): enforce JWT OAuth scope per JSON-RPC method Vault: enforce JWT OAuth scope per JSON-RPC method May 6, 2026
@trunk-io
Copy link
Copy Markdown

trunk-io Bot commented May 6, 2026
edited
Loading

Static BadgeStatic BadgeStatic BadgeStatic Badge

View Full Report ↗︎Docs

mchain0
mchain0 previously approved these changes May 6, 2026
View reviewed changes
mchain0
mchain0 reviewed May 6, 2026
View reviewed changes
Comment thread core/capabilities/vault/jwt_oauth_scope.go

// OAuthScopeForVaultRPCMethod returns the OAuth scope required to authorize the given
// Vault JSON-RPC method over the JWT path.
func OAuthScopeForVaultRPCMethod(method string) (string, error) {
Copy link
Copy Markdown
Contributor

@mchain0 mchain0 May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is exported but lacks direct unit-test coverage

Copy link
Copy Markdown
Contributor Author

@prashantkumar1982 prashantkumar1982 May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is called from here:

chainlink/system-tests/tests/smoke/cre/v2_vault_don_test_helpers.go

Line 644 in 284135a

oauthScope, err := vaultjwt.OAuthScopeForVaultRPCMethod(req.Method)

Added more unit-tests too.

mchain0
mchain0 reviewed May 6, 2026
View reviewed changes
Comment thread core/capabilities/vault/jwt_oauth_scope.go
return scopes[0], nil
}

func extractOAuthScopesFromClaims(claims jwt.MapClaims) []string {
Copy link
Copy Markdown
Contributor

@mchain0 mchain0 May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only 67% of test coverage in cases

Copy link
Copy Markdown
Contributor Author

@prashantkumar1982 prashantkumar1982 May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

now have all test-cases

timothyF95
timothyF95 reviewed May 6, 2026
View reviewed changes
Comment thread system-tests/lib/cre/vault/jwt_auth.go
},
}

if len(claims.Scopes) > 0 {
Copy link
Copy Markdown

@timothyF95 timothyF95 May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

q: There shouldn't be more than 1 scope per token, should we check for that and possibly err?

Copy link
Copy Markdown
Contributor Author

@prashantkumar1982 prashantkumar1982 May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I am validating that request token only has 1 vault scope. Other scopes not vault related are ignored but not errored upon.

timothyF95
timothyF95 previously approved these changes May 6, 2026
View reviewed changes
prashantkumar1982 and others added 2 commits May 6, 2026 11:39
@prashantkumar1982 @cursoragent
fix(vault): require single Vault OAuth scope; add scope mapper tests
8952d88 
Enforce exactly one known Vault secret scope per token (ignore non-Vault
claims). Add OAuthScopeForVaultRPCMethod unit tests and JWT auth tests
for multi-scope and openid+vault cases.

Co-authored-by: Cursor <cursoragent@cursor.com>
@prashantkumar1982
Merge branch 'develop' into fix/vault-jwt-scope-method-auth
8e878ad
@prashantkumar1982 prashantkumar1982 dismissed stale reviews from timothyF95 and mchain0 via 8e878ad May 6, 2026 18:40
@cl-sonarqube-production
Copy link
Copy Markdown

cl-sonarqube-production Bot commented May 6, 2026

Quality Gate passed Quality Gate passed

Issues
3 New issues
1 Fixed issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@prashantkumar1982 prashantkumar1982 added this pull request to the merge queue May 6, 2026
Merged via the queue into develop with commit 5a1731f May 6, 2026
213 checks passed
@prashantkumar1982 prashantkumar1982 deleted the fix/vault-jwt-scope-method-auth branch May 6, 2026 20:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mchain0 mchain0 mchain0 left review comments

@cedric-cordenier cedric-cordenier cedric-cordenier approved these changes

@timothyF95 timothyF95 timothyF95 approved these changes

@justinkaseman justinkaseman Awaiting requested review from justinkaseman

@patrickhuie19 patrickhuie19 Awaiting requested review from patrickhuie19

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@prashantkumar1982 @cedric-cordenier @timothyF95 @mchain0