This PR adds support for wildcard scopes in M2M auth.
This means that an M2M client can have a scope like read:* and if given a required scope of read:foo, authentication will be allowed.
This does not affect "simple" scopes like read or read_users -- only scopes with a separating : are supported.
Furthermore, the assumption is that the scopes will be given as action:resource, though it is technically possible to assign in a different way like users:read, though in that case, a scope of users:* would not match a required scope of read:users. But as long as an application is consistent, this would be allowed.
Furthermore, a scope of just * does not get interpreted as an "omniscient" client -- instead, this is seen as the literal character * and gets matched similarly to read_users as mentioned above.
This PR adds support for wildcard scopes in M2M auth. This means that an M2M client can have a scope like
read:*and if given a required scope ofread:foo, authentication will be allowed.This does not affect "simple" scopes like
readorread_users-- only scopes with a separating:are supported.Furthermore, the assumption is that the scopes will be given as
action:resource, though it is technically possible to assign in a different way likeusers:read, though in that case, a scope ofusers:*would not match a required scope ofread:users. But as long as an application is consistent, this would be allowed.Furthermore, a scope of just
*does not get interpreted as an "omniscient" client -- instead, this is seen as the literal character*and gets matched similarly toread_usersas mentioned above.