Scope validation questions I want each one of our APIs have Ory Community #talk-oathkeeper

Scope validation questions: I want each one of our...

cool-oxygen-35927

09/15/2022, 7:35 AM

Scope validation questions: I want each one of our APIs have very specific scope, like

api:users:read

and our main app have a token with generic scope like

api:*

that allows it to access all resources in the system. I configured scope strategy to be wildcard, and I expected it to work but oathkeeper is failing the request with

Copy code

JSON Web Token is missing required scope "api:users:read".

What am I missing? Is this even possible with oathkeeper?

red-machine-69654

09/15/2022, 7:54 AM

Maybe the tests show how

scope_strategy

would work? Haven't used it myself.

cool-oxygen-35927

09/15/2022, 7:54 AM

I looked at the tests and it's a bit hard to understand but I think it should work

red-machine-69654

09/15/2022, 7:56 AM

I think most apis I used so far use hierarchical types. As in: • api • api.users • api.users.read But I don't see an example in the docs how that would work either.

cool-oxygen-35927

09/15/2022, 7:57 AM

here they say hierarchical is considered insecure and to flavor wildcard: https://github.com/ory/fosite

cool-oxygen-35927

09/15/2022, 7:57 AM

and this is the library used by oathkeepr

red-machine-69654

09/15/2022, 8:01 AM

https://github.com/ory/fosite/blob/master/scope_strategy_test.go

red-machine-69654

09/15/2022, 8:01 AM

Hmmm

red-machine-69654

09/15/2022, 8:02 AM

Maybe run Oathkeeper with trace to see more?

cool-oxygen-35927

09/15/2022, 8:07 AM

I think I am just not understanding something here, so I guess the best option is to wait for one of the maintainers to answer this question

magnificent-energy-493

09/15/2022, 9:48 AM

Hey Omer, can you maybe share your access-rules and oathkeeper.yml (with sensitive values redacted). I have no experience with what you are trying to do, but will ask my colleagues. Also see this collection of oathkeeper examples, maybe there is something helpful: https://github.com/ory/examples/tree/master/oathkeeper (maybe we can make an example for your usecase for the future ?

cool-oxygen-35927

09/15/2022, 10:34 AM

Sure, here are the relevant snippets of config / access rules:

cool-oxygen-35927

09/15/2022, 10:35 AM

Copy code

authenticators:
  jwt:
    enabled: true
    config:
      jwks_urls:
        - <>
      scope_strategy: none
      trusted_issuers:
        - <>
      target_audience:
        - <>
      allowed_algorithms:
        - RS256
      scope_strategy: wildcard
authorizers:
  allow:
    enabled: true
mutators:
  noop:
    enabled: true
errors:
  handlers:
    json:
      enabled: true
      config:
        verbose: false
log:
  level: info

cool-oxygen-35927

09/15/2022, 10:36 AM

Copy code

{
  "upstream": {
    "url": "",
    "preserve_host": false
  },
  "id": "organization-command-0.organization-command",
  "match": {
    "url": "<http://api.goledge.io/v1/command/organizations>",
    "methods": [
      "POST"
    ]
  },
  "authenticators": [
    {
      "handler": "jwt",
      "condig": {
        "required_scope": ["api:users:read"]
      }
    }
  ],
  "authorizer": {
    "handler": "allow"
  },
  "mutators": [
    {
      "handler": "noop"
    }
  ]
},

red-machine-69654

09/15/2022, 12:22 PM

You have scope_strategy twice

cool-oxygen-35927

09/18/2022, 6:17 AM

Ahh right! Thank you 🙂

cool-oxygen-35927

09/18/2022, 6:32 AM

Just tested it and it is still not working...

Open in Slack

Previous Next