Validate scope of JWTs

So far we are only accepting JWTs for requests to
APIv3 and our scopes are not more fine-grained than that.

However, warden strategies are generally responsible for validating
the scopes of a token (e.g. compare DoorkeeperOAuth) to the scope
of the currently accessed API.

Author: NobodysNightmare

lib_static/open_project/authentication/strategies/warden/jwt_oidc.rb

@@ -25,6 +25,11 @@ def authenticate!
             ::OpenIDConnect::JwtParser.new(required_claims: ["sub"]).parse(@access_token).either(
               ->(payload_and_provider) do
                 payload, provider = payload_and_provider
+                unless valid_scope?(payload)
+                  return fail_with_header! error: "insufficient_scope",
+                                           error_description: "Requires scope #{scope} to access this resource."
+                end
+
                 user = User.find_by(identity_url: "#{provider.slug}:#{payload['sub']}")
                 if user
                   success!(user)
@@ -35,6 +40,13 @@ def authenticate!
               ->(error) { fail_with_header!(error: "invalid_token", error_description: error) }
             )
           end
+
+          private
+
+          def valid_scope?(payload)
+            scopes = (payload["scope"] || "").split
+            scopes.include?(scope.to_s)
+          end
         end
       end
     end

spec/requests/api/v3/authentication_spec.rb

@@ -406,7 +406,7 @@ def set_basic_auth_header(user, password)
              "manage-clients",
              "query-groups"] },
           "account" => { "roles" => ["manage-account", "manage-account-links", "view-profile"] } },
-        "scope" => "email profile",
+        "scope" => token_scope,
         "sid" => "eb235240-0b47-48fa-8b3e-f3b310d352e3",
         "email_verified" => false,
         "preferred_username" => "admin"
@@ -417,6 +417,7 @@ def set_basic_auth_header(user, password)
     let(:token_sub) { "b70e2fbf-ea68-420c-a7a5-0a287cb689c6" }
     let(:token_aud) { ["https://openproject.local", "master-realm", "account"] }
     let(:token_issuer) { "https://keycloak.local/realms/master" }
+    let(:token_scope) { "email profile api_v3" }
     let(:expected_message) { "You did not provide the correct credentials." }
     let(:keys_request_stub) do
       stub_request(:get, "https://keycloak.local/realms/master/protocol/openid-connect/certs")
@@ -479,6 +480,20 @@ def set_basic_auth_header(user, password)
       end
     end
 
+    context "when the scope does not permit access to APIv3" do
+      let(:token_scope) { "profile email" }
+
+      it "fails with HTTP 403 Forbidden" do
+        get resource
+
+        expect(last_response).to have_http_status :forbidden
+        error = "Requires scope api_v3 to access this resource."
+        expect(last_response.header["WWW-Authenticate"])
+          .to eq(%{Bearer realm="OpenProject API", error="insufficient_scope", error_description="#{error}"})
+        expect(JSON.parse(last_response.body)).to eq(error_response_body)
+      end
+    end
+
     context "when access token has expired already" do
       let(:token_exp) { 5.minutes.ago }