search

antek-drzewiecki / wine_bouncer

A Ruby gem that allows Oauth2 protection with Doorkeeper for Grape Api's
MIT License
112 stars 58 forks source link

is it possible to support multiple oauth2 protections to one endpoint? #33

Closed calfzhou closed 8 years ago

calfzhou commented 9 years ago

Doorkeeper's scope checking only ensure that the client has at least one required scopes, e.g. oauth2 :x, :y, :z will success even if the client's scope contains only :x. I'd like to protect an endpoint with multiple required scopes, e.g. only a client with both :x and :y permission can access the endpoint, is it possible make wine_bouncer support syntax like this:

oauth2 :x
oauth2 :y
get :resources_with_both_x_and_y_permissions do
  ...
end
antek-drzewiecki commented 9 years ago

No this is not possible at the moment, it uses doorkeepers default behaviour for scope checking. Its all because a token can only be assigned with one scope (correct me if i'm wrong) . You might want to imply rules that scope :x is a sup or super set of scope :y. For example you might want to define scope read and scope read_and_write.

calfzhou commented 9 years ago

do you mean oauth2 :x, :y? it not ensure the client have both :x and :y permissions, since doorkeeper_token.acceptable?(scopes) only make sure the token includes any (at least one) required scope.

calfzhou commented 9 years ago

one access token can be assigned with any number of scopes. when client app requesting for a token, its params[:scope] could be a space separated string for more than one scopes. And in doorkeeper model, AccessToken.scopes is an array too.

antek-drzewiecki commented 9 years ago

I believe this should be an responsibility of Doorkeeper how it should handle token scopes. Do you agree? I doubt this kind of logic should be implemented in wine_bouncer, since it is mostly intended to pass rules to doorkeeper. Any other doorkeeper user might also profit from this implementation. My suggestion is to open a ticket there.

calfzhou commented 9 years ago

yes agree with you. i already asked them for this behavior, haven't got response yet.

I just checked swagger spec, though there is no explicit declaration about this, its owner said it might be a logical AND between required scopes.

antek-drzewiecki commented 9 years ago

Indeed, the swagger spec fail to mention the behavior.

calfzhou commented 9 years ago

it would be great to support multiple oauth2 for one endpoint ~~

calfzhou commented 9 years ago

or maybe syntax like

oauth2 do
  authorize! :x, :y
  authorize! :z
end

or

oauth2 [:x, :y], :z

so only if the client have either [:x, :z] or [:y, :z] permissions can use this endpoint.