Ocelot: How to use AllowedScopes?

Created on 14 Feb 2018  路  3Comments  路  Source: ThreeMammals/Ocelot

Hello, I麓m using your API Gateway and is very Useful, I麓m using my AuthenticationProvider and all works ok, but I have a question, in your manual test in configuration.json you have this:

"AuthenticationOptions": {
"AuthenticationProviderKey": "TestKey",
"AllowedScopes": [
"openid",
"offline_access"
]
}

and my question is how to use AllowedScopes?... what values can it take and in which case would they be used?... Thanks in advance

question

Most helpful comment

@TomPallister I'm commenting here rather than opening a new issue, as I have the same question over clarification of this. I'm not sure the answer given, nor the documentation matches the actual functionality. The documentation clearly states that ALL of the scopes declared in the Route AllowedScopes should be present in the user's scope claim, however, as I understand the code ScopesAuthoriser, it does an intersect of the two lists and an error is only thrown is if the count of matches is 0 (user has none of the required scopes).
The behaviour I am observing is that if you specify two scopes in Route AllowedScopes and the user only has one of them, authorisation succeeds, due to the use of Intersect, in contradiction to the documentation. Have I got this wrong?

All 3 comments

@FerAguilarR93 thanks for your interest in the project!

If you set allowed scopes Ocelot will get all the user claims of the type scope and make sure that the user has all of the scopes in the list.

This is a way to restrict access to a ReRoute on a per scope basis.

Does that help?

Yes it has been very helpful, thanks for your prompt response and willingness to help

@TomPallister I'm commenting here rather than opening a new issue, as I have the same question over clarification of this. I'm not sure the answer given, nor the documentation matches the actual functionality. The documentation clearly states that ALL of the scopes declared in the Route AllowedScopes should be present in the user's scope claim, however, as I understand the code ScopesAuthoriser, it does an intersect of the two lists and an error is only thrown is if the count of matches is 0 (user has none of the required scopes).
The behaviour I am observing is that if you specify two scopes in Route AllowedScopes and the user only has one of them, authorisation succeeds, due to the use of Intersect, in contradiction to the documentation. Have I got this wrong?

Was this page helpful?
0 / 5 - 0 ratings