search

SAP / cloud-security-services-integration-library

Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or Identity authentication service.
Apache License 2.0
151 stars 136 forks source link

Scope's appid is different from uaa's xsapname #176

Closed obarat closed 4 years ago

obarat commented 4 years ago

Hello,

We have an application that is bound to a service broker uaa. We are trying to implement the our Security Config according to the sample webflux application, but what we see is that XsuaaServiceConfigurationDefault pulls the service broker's appId. The scope that we check with hasAuthority("Read") has a different xsappname so the authentication always fails with a 403 Insufficient scope error.

I've confirmed that this is the cause of the authorization error because when I add our application's appId in the xsuaa.xsappname property in the application.properties file, the authorization works.

Is there a better way to define our application's appid as the prefix when checking for scope?

obarat commented 4 years ago

Example vcap uaa:

"xsuaa": [
    {
        "label": "xsuaa",
        "provider": null,
        "plan": "broker",
        "name": "uaa",
        "tags": [
            "xsuaa"
        ],
        "instance_name": "uaa",
        "binding_name": null,
        "credentials": {
            "tenantmode": "dedicated",
            "sburl": "url.com",
            "clientid": "clientId123",
            "xsappname": "broker-app!123"
        },
        "syslog_drain_url": null,
        "volume_mounts": []
    }
]

Example token:

{
    "jti": "123",
    "ext_attr": {
        "enhancer": "XSUAA",
        "zdn": "tenant",
        "serviceinstanceid": "tenantId"
    },
    "sub": "123",
    "authorities": [
        "our-app!123.Read"
    ],
    "scope": [
        "our-app!123.Read"
    ],
    "aud": [
        "our-app!123"
    ]
}
nenaraab commented 4 years ago

@obarat please provide me the content of your xs-security.json (this is the xsuaa configuration file, security model description).

Thanks!

nenaraab commented 4 years ago

@obarat This "shortcut" with local scope checks hasAuthority("Read") works only in case the scope which is provided by the JWT token (e.g. our-app!b123.Read) begins with thexsuaa.credentials.xsappname which you can find in your VCAP_SERVICES (or in your xsuaa.xsappname property).

Spring-xsuaa client lib allows by default to check global scopes (e.g. our-app!b123.Read). In this case you should NOT configure the converter with converter.setLocalScopeAsAuthorities(true) like in the sample app: https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/samples/spring-webflux-security-xsuaa-usage/src/main/java/sample/spring/webflux/xsuaa/SecurityConfiguration.java#L55

Furthermore the xsuaa.credentials.xsappname in your VCAP_SERVICES matches the XSAPPNAME you've specified in your xs-security.json file.