jjg-123
commented
2 months ago One additional point here is that vault accepts requests from users for scopes and then processes them. This some times means that we get auto generated scopes like
", foo,bar,baz"
which include the double quotes and commas!!
Therefore, I think that we should probably add this flag for clients
This keeps happening, that a client sends us a wrong list of scopes. The spec states that scopes are blank delimited and that commas may be embedded, so a scope would get turned into
"X,A Y Z" --> ["X,A", "Y", "Z"] // in JSON
is three scopes. A not uncommon error from clients is to use some utility on lists that turns it into a comma-delimited string. So they intend to send "X Y Z" but instead send
"X,Y,Z" --> ["X,Y,Z"]
resulting in a single, large scope that cannot be asserted. We fulfill our contract and assert nothing, then they eventually (and possibly much later) get downstream errors that they do not understand.
Therefore, I propose a flag for the client configuration that rejects lists of scopes that contain commas unless the flag is set true. That is to say, we still process as per spec, but if a scope contains a comma, that raises an error.