Closed stlammel closed 2 weeks ago
CILogon has a "wlcg.capabilityset" scope that translates to a list of scopes the user is authorized to have.
Hello, if you mean the "wlcg.capabilityset" specified in the WLCG profile (https://github.com/WLCG-AuthZ-WG/common-jwt-profile/blob/master/profile.md#group-based-capability-selection), we will modify IAM accordingly in order to be compliant, once the version 2 of the profile will be approved/published. Anyway, as far as I understand this feature allows selection of scopes based on groups, while IAM scope policies applies also to users (and, in future, clients).
So, to summarize, your request is to always obtain a 403 Forbidden even when the scopes are filtered by the IAM Scope policies? Or you suggest to fully implement the "wlcg.capabilityset" feature? Or to expose an endpoint for any user that lists the allowed scopes?
Hallo Federica, thanks for the pointer! I didn't know "wlcg.capabilityset" was documented / part of the WLCG v2 profile. Reading through, this is really for acquiring scopes based on groups. We don't plan to use/expose groups in the token but handle them internally in IAM via policies. So, this will not work for us, i believe. Let me discuss/brainstorm with Dave and a few others. Many Thanks, cheers, Stephan
Ok, after discussion with Dave, we will handle this in the vault config grouping scopes into a few collections and then using the downscoping htgettoken provides. I'll close this out.
Dear IAM developers, we discussed the need for vault to find the allowed scopes for a user about a month ago. We had tested with client credential workflow that requesting a disallowed scope would yield an error and not the scope being skipped. I just tried this via the vault, i.e. authorization workflow via registered client. If the scope is authorized for the client but policy does not authorize if for the user, the scope is omitted in the issued token. However, if the scope is not authorized for the vault client i get a similar error "HTTP 403: Forbidden" as with the client credential workflow. Given that especially at the beginning there will be many wrong scope requests, a function/method for the vault to get a list of allowed/maximum sopes for a user would be great. Thanks,