Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"any" matching option for "required_scope" in JWT authenticator #1129

Open
3 of 5 tasks
damianpietruszewski opened this issue Aug 24, 2023 · 1 comment
Open
3 of 5 tasks

"any" matching option for "required_scope" in JWT authenticator #1129

damianpietruszewski opened this issue Aug 24, 2023 · 1 comment
Labels
rfc A request for comments to discuss and share ideas.

Comments

@damianpietruszewski
Copy link

Preflight checklist

Ory Network Project

No response

Context and scope

Currently all scopes in required_scope in JWT authenticator are required to be matched by token scopes.

Example of a match:
"required_scope": ["scope1", "scope2"]
token scopes: "scope1 scope2"

We would like an option so any (at least one) match would be enough.

Example of a match:
"required_scope": ["scope1", "scope2"]
token scopes: "scope1"

We have started a discussion about it in #1038.

Goals and non-goals

Goals:

  • "any" matching option of required_scope

Non-goals:

  • Complex matching rules of required_scope consisting of mix of logical ANDs and ORs

The design

We propose a new JWT authenticator configuration - scope_match_multiplicity.

scope_match_multiplicity will control how many matches of required_scope are required. Supported values for scope_match_multiplicity: all , any.

scope_match_multiplicity should be optional and the option all should be its default as it reflects current logic.

  1. all scope match multiplicity option requires all scopes from required_scope to be matched by token scopes.
    Example of a match:
    "required_scope": ["scope1", "scope2"]
    token scopes: "scope1 scope2"
  2. any scope match multiplicity option requires at least one scope from required_scope to be matched by token scopes.
    Example of a match:
    "required_scope": ["scope1", "scope2"]
    token scopes: "scope1"

APIs

No response

Data storage

No response

Code and pseudo-code

No response

Degree of constraint

No response

Alternatives considered

  1. Complex matching rules of required_scope consisting of mix of logical ANDs and ORs
  • for someone that needs only "OR" or only "AND" matching this will introduce unnecessary complexity
  • it may require different format of required_scope
  1. Merging scope_strategy and scope_match_multiplicity into one value.
  • scope_strategy and scope_match_multiplicity control different matters
  • this config can be used in various combinations so there will be need for a const for each combination e.g. exact_all, exact_any
  • scope_strategy values are extracted to a separate lib and probably are used in many different apps which we will affect with our changes
  1. A separate field any_scope similar to required_scope for scopes that will require at least one match instead of scope_match_multiplicity.
  • each scope_match_multiplicity option has to be implemented as a new x_scope field
@damianpietruszewski damianpietruszewski added the rfc A request for comments to discuss and share ideas. label Aug 24, 2023
@cezarywysocki
Copy link

very useful

This was referenced Dec 13, 2023
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
rfc A request for comments to discuss and share ideas.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@damianpietruszewski @cezarywysocki