Oauth2 client configuration parameters visible to users who are not members of the application group #2658
Comments
|
I changed https://github.com/kanidm/kanidm/blob/master/server/lib/src/server/access/search.rs#L187-L200 to read: if !contains_o2_rs {
AccessResult::Ignore
} else if contains_o2_scope_member {
security_access!(entry = ?entry.get_uuid(), ident = ?iuser.entry.get_uuid2rdn(), "ident is a memberof a group granted an oauth2 scope by this entry");
return AccessResult::Allow(btreeset!(
Attribute::Class.as_ref(),
Attribute::DisplayName.as_ref(),
Attribute::Uuid.as_ref(),
Attribute::Name.as_ref(),
Attribute::OAuth2RsOrigin.as_ref(),
Attribute::OAuth2RsOriginLanding.as_ref(),
Attribute::Image.as_ref()
));
} else {
AccessResult::Denied
}while waiting for true solution. |
yaleman
added
bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Ungranted person:
{ "attrs": { "class": ["account", "memberof", "oauth2_resource_server", "oauth2_resource_server_basic", "object"], "displayname": ["Test1"], "memberof": ["idm_all_accounts"], "name": ["test1"], "spn": ["test1"], "uuid": ["c900060f-7d5a-4d20-9191-dbdcaec69bf4"] } }Granted person:
{ "attrs": { "class": ["account", "memberof", "oauth2_resource_server", "oauth2_resource_server_basic", "object"], "displayname": ["Test2"], "memberof": ["idm_all_accounts"], "name": ["test2"], "oauth2_rs_origin": ["https://..."], "spn": ["test2"], "uuid": ["c900060f-7d5a-4d20-9191-dbdcaec69bf4"] } }The text was updated successfully, but these errors were encountered: