search

ory / oathkeeper

A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
3.24k stars 357 forks source link

"any" matching option for "required_scope" in JWT authenticator #1129

Open damianpietruszewski opened 1 year ago

damianpietruszewski commented 1 year ago

Preflight checklist

Ory Network Project

No response

Context and scope

Currently all scopes in required_scope in JWT authenticator are required to be matched by token scopes.

Example of a match: "required_scope": ["scope1", "scope2"] token scopes: "scope1 scope2"

We would like an option so any (at least one) match would be enough.

Example of a match: "required_scope": ["scope1", "scope2"] token scopes: "scope1"

We have started a discussion about it in https://github.com/ory/oathkeeper/discussions/1038.

Goals and non-goals

Goals:

Non-goals:

The design

We propose a new JWT authenticator configuration - scope_match_multiplicity.

scope_match_multiplicity will control how many matches of required_scope are required. Supported values for scope_match_multiplicity: all , any.

scope_match_multiplicity should be optional and the option all should be its default as it reflects current logic.

  1. all scope match multiplicity option requires all scopes from required_scope to be matched by token scopes. Example of a match: "required_scope": ["scope1", "scope2"] token scopes: "scope1 scope2"
  2. any scope match multiplicity option requires at least one scope from required_scope to be matched by token scopes. Example of a match: "required_scope": ["scope1", "scope2"] token scopes: "scope1"

APIs

No response

Data storage

No response

Code and pseudo-code

No response

Degree of constraint

No response

Alternatives considered

  1. Complex matching rules of required_scope consisting of mix of logical ANDs and ORs

    • for someone that needs only "OR" or only "AND" matching this will introduce unnecessary complexity
    • it may require different format of required_scope

  2. Merging scope_strategy and scope_match_multiplicity into one value.

    • scope_strategy and scope_match_multiplicity control different matters
    • this config can be used in various combinations so there will be need for a const for each combination e.g. exact_all, exact_any
    • scope_strategy values are extracted to a separate lib and probably are used in many different apps which we will affect with our changes

  3. A separate field any_scope similar to required_scope for scopes that will require at least one match instead of scope_match_multiplicity.

    • each scope_match_multiplicity option has to be implemented as a new x_scope field
cezarywysocki commented 1 year ago

very useful

hamzabouissi commented 3 months ago

any update on this