XSEDE / oauth-ssh

SSH with Globus Auth
Apache License 2.0
28 stars 11 forks source link

Client authorize url returns "Unknown scope(s)" #79

Open jtfalgout opened 1 year ago

jtfalgout commented 1 year ago

Trying to authorize a client with oauth-ssh-token through Globus with the command (where client-id is the uuid of the "client secrets" generated from an app registration):

oauth-ssh-token authorize hostnaname.foo.com --identity user@globusid.org --client-id 1234567-12334-1234-1234-123456789
Please go to this URL and login: https://auth.globus.org/v2/oauth2/authorize?redirect_uri=https%3A%2F%2Fauth.globus.org%2Fv2%2Fweb%2Fauth-code&client_id=48b0122345-11234-1234-1234-12345677&access_type=offline&state=_default&code_challenge=M4MUeWXiSz11uxkVKOQGQhn9d98zW9A0IQKsdfmcg7g&code_challenge_method=S256&response_type=code&scope=https%3A%2F%2Fauth.globus.org%2Fscopes%2F1234567-12334-1234-1234-123456789%2Fssh&session_message=The+SSH+service+requires+that+you+authenticate+using+this+identity%3A&session_required_identities=789876544-12345677-4318-876e-08f3d2f7138d
Please enter the code you get after login here:

I copy/paste the url into a browser, but Globus returns an error about an unknown scope:

Unknown scope(s)
Sorry, but we encountered a problem while servicing your request.

client_id=48b0122345-11234-1234-1234-12345677 requested unknown scopes: ['https://auth.globus.org/scopes/1234567-12334-1234-1234-123456789']

Occurred at time:
2023-09-22T20:56:59.557105+00:00
Error ID:
f5b5939495dc4c6cbfe585ef48b2f1fb
Error code:
UNKNOWN_SCOPE_ERROR

Looking at how scope is set in globus_auth.py,

scope = SCOPE_FORMAT.format(fqdn=fqdn)

It looks like the scope is just the fqdn passed to the command, which I think correlates to the app registration of SSH@fqdn as instructed in the server setup.

Has the scope requirements changed? Or am I now registering an app incorrectly and not creating the correct scope?

Jeff