search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
90 stars 12 forks source link

Allow Permissions Grant to User for an Entity in OAuth Grant #1295

Open jobannon opened 3 years ago

jobannon commented 3 years ago

Allow Permissions Grant to User for an Entity in OAuth Grant

Problem

If a user is granted access to an Entity, those Entity Permissions cannot be accessed in the authorization code grant.

Solution

Allow one or more entities to be specified in the scope parameter so that the returned token contains permissions for these entities.

An example scope could use the prefix target-entity: or entity:. The client credentials grant uses target-entity: and source-entity: because there are two entities, but since here we have a user an entity, it may be simpler to just use entity:.

Example of asking for permissions to two separate entities that the user already has a grant to - and asking for specific permissions. 

entity:92dbded-30af-4149-9c61-b578f2c72600:read,write entity:119a84d9-06c5-4d1f-a0d4-a60490b70ac5:read

Example of asking for permissions to two separate entities that the user already has a grant to, permissions are omitted, so all of the granted permissions will be returned. 

entity:92dbded-30af-4149-9c61-b578f2c72600:read,write entity:119a84d9-06c5-4d1f-a0d4-a60490b70ac5:read

This would use the same logic as we do in the client credentials grant in that you can only ask for permissions to which you already have a grant. Asking for something you do not have would cause a validation error of some sort.

Alternatives/workarounds

You can of course use the API to retrieve the grants against your entity and you can search for all entities a user has been granted permissions on, but this is not currently part of any OAuth grants.

Currently you may even do this in the JWT Populate Lambda function using HTTP Lambda Connect (fetch).

Additional context

https://fusionauth.io/community/forum/topic/1118/can-i-get-permissions-granted-to-a-user-against-an-entity-in-an-oauth-grant

https://fusionauth.io/community/forum/topic/1114/how-to-get-an-access_token-for-an-entity-on-behalf-of-a-logged-user

Related

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

chrisgoddard commented 2 years ago

Hey guys! Is there any update/timeline on this feature?

mooreds commented 1 year ago

@chrisgoddard sorry for the late response. We try to be transparent about issues assigned to a milestone, but sometimes schedules slip and features move around. Lools like this is slated for 1.39.0 right now.

gnuphie commented 1 year ago

This was exactly what I was trying to do. I'm glad I saw this before I spent a lot of time on a dead end. Hopefully this is still a future feature? I see it was removed from 1.40.0. Has it been added back in on a future milestone?

mooreds commented 1 year ago

@gnuphie , it is not currently slated for a release.

Please make sure to upvote this issue, as we take community upvotes into account when deciding on our roadmap. Here's our current roadmap guidance: https://fusionauth.io/docs/v1/tech/core-concepts/roadmap

Thanks for using FusionAuth.