Connexion: OAuth token should have all scopes listed in swagger spec to grant access
Hi, I have a question regarding implementation:
https://github.com/zalando/connexion/blob/master/connexion/decorators/security.py#L88
checks that access token must have any scope from the list of scopes.
Should the check be more strict, by checking that declared scopes is a subset of token's scopes?
zd0
All 4 comments
@zd0 that is exactly what it does, no?
rafaelcaricio
on 22 Jul 2016
@zd0 I think you are right, it should check allowed_scopes <= user_scopes.
hjacobs
on 25 Jul 2016
I get it now. In the logging message that was clearly the intention: https://github.com/zalando/connexion/blob/master/connexion/decorators/security.py#L89 ("one of allowed scopes")
If we are going to change that, it is a breaking change with older versions.
rafaelcaricio
on 25 Jul 2016
This is clearly a bug and needs to be fixed, see https://github.com/OAI/OpenAPI-Specification/blob/OpenAPI.next/versions/2.0.md#securityRequirementObject .
The object can have multiple security schemes declared in it which are all required (that is, there is a logical AND between the schemes).
...
If the security scheme is of type "oauth2", then the value is a list of scope names required for the execution.
hjacobs
on 25 Jul 2016
Related issues
srlopez
路
4Comments
hjacobs
路
4Comments
davidnazw
路
4Comments
trickidicki
路
5Comments
acidjunk
路
5Comments
Most helpful comment
This is clearly a bug and needs to be fixed, see https://github.com/OAI/OpenAPI-Specification/blob/OpenAPI.next/versions/2.0.md#securityRequirementObject .