-
Notifications
You must be signed in to change notification settings - Fork 86
WIP: Rework JWT with scopes in GOA design #2138
base: master
Are you sure you want to change the base?
Conversation
Ike Plugins (test-keeper)Thank you @kwk for this contribution! It appears that no tests have been added or updated in this PR. Automated tests give us confidence in shipping reliable software. Please add some as part of this change. If you are an admin or the reviewer of this PR and you are sure that no test is needed then you can use the command For more information please head over to official documentation. You can find there how to configure the plugin. |
Codecov Report
@@ Coverage Diff @@
## master #2138 +/- ##
=======================================
Coverage 69.37% 69.37%
=======================================
Files 165 165
Lines 15277 15277
=======================================
Hits 10598 10598
Misses 3719 3719
Partials 960 960 Continue to review full report at Codecov.
|
@kwk that's interesting yes. I didn't find what exactly is expected in the token by GOA JWT security middleware is some scopes are defined in design. But it looks like it's just top level scope claim. We still could use GOA middlewares for that I think. But we will need to create our own custom one. We (auth team) also were thinking about creating common libs/tools for our go/Java/JS etc, clients/resource services which we could re-use instead of forcing each team to re-implement it from scratch. |
@alexeykazakov If I'm not mistaken you can put scopes on GOA resources and even actions (like I did) of a particular resource. Can you elaborate on how your resource definition differs from the GOA one? |
@kwk GOA resources != AuthZ resources. “scopes”:[“view”,”contribute”] But we need scopes for AuthZ resources, like spaces or org: “resources”:[ See the difference? In the first token there is global scopes but we need to define and check scopes per space as in the second token where “12345” and “54321” are space IDs. |
Yes I see that. |
Hey, I've looked at some swagger with @tinakurian and we found out about scopes in JWT and GOA. This PR exists to show how we might want to integrate scopes as presented by @alexeykazakov and @sbose78 into our endpoints.
The PR was inspired by this example usage of JWT: https://github.com/goadesign/examples/blob/master/security/design/jwt.go#L10
Notice that we were not using the newly created
JWT
global variable anywhere but just defined.As you can see the scopes can be placed on each action of a resource which is close to what we want, no? What's missing in the generated swagger are information about the
Authorization
header that should be provided in requests. The required scopes for each action are appended to the description of each action.I have no idea what effect the changes will have on our endpoints. Do the reject a request if a scope is missing now?