search

indigo-iam / iam

INDIGO Identity and Access Management Service
https://indigo-iam.github.io/
Other
101 stars 43 forks source link

method to find allowed scopes of a user and client #815

Closed stlammel closed 2 weeks ago

stlammel commented 1 month ago

Dear IAM developers, we discussed the need for vault to find the allowed scopes for a user about a month ago. We had tested with client credential workflow that requesting a disallowed scope would yield an error and not the scope being skipped. I just tried this via the vault, i.e. authorization workflow via registered client. If the scope is authorized for the client but policy does not authorize if for the user, the scope is omitted in the issued token. However, if the scope is not authorized for the vault client i get a similar error "HTTP 403: Forbidden" as with the client credential workflow. Given that especially at the beginning there will be many wrong scope requests, a function/method for the vault to get a list of allowed/maximum sopes for a user would be great. Thanks,

stlammel commented 1 month ago

CILogon has a "wlcg.capabilityset" scope that translates to a list of scopes the user is authorized to have.

federicaagostini commented 1 month ago

Hello, if you mean the "wlcg.capabilityset" specified in the WLCG profile (https://github.com/WLCG-AuthZ-WG/common-jwt-profile/blob/master/profile.md#group-based-capability-selection), we will modify IAM accordingly in order to be compliant, once the version 2 of the profile will be approved/published. Anyway, as far as I understand this feature allows selection of scopes based on groups, while IAM scope policies applies also to users (and, in future, clients).

So, to summarize, your request is to always obtain a 403 Forbidden even when the scopes are filtered by the IAM Scope policies? Or you suggest to fully implement the "wlcg.capabilityset" feature? Or to expose an endpoint for any user that lists the allowed scopes?

stlammel commented 1 month ago

Hallo Federica, thanks for the pointer! I didn't know "wlcg.capabilityset" was documented / part of the WLCG v2 profile. Reading through, this is really for acquiring scopes based on groups. We don't plan to use/expose groups in the token but handle them internally in IAM via policies. So, this will not work for us, i believe. Let me discuss/brainstorm with Dave and a few others. Many Thanks, cheers, Stephan

stlammel commented 2 weeks ago

Ok, after discussion with Dave, we will handle this in the vault config grouping scopes into a few collections and then using the downscoping htgettoken provides. I'll close this out.