Skip to content

Validate scopes of JWTs #18393

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 22, 2025
Merged

Validate scopes of JWTs #18393

merged 1 commit into from
Apr 22, 2025

Conversation

NobodysNightmare
Copy link
Contributor

So far we are only accepting JWTs for requests to
APIv3 and our scopes are not more fine-grained than that.

However, warden strategies are generally responsible for validating
the scopes of a token (e.g. compare DoorkeeperOAuth) to the scope
of the currently accessed API.

Ticket

https://community.openproject.org/wp/62360

Merge checklist

  • Added/updated tests

@NobodysNightmare NobodysNightmare marked this pull request as draft March 20, 2025 12:56
@NobodysNightmare
Copy link
Contributor Author

Keeping this PR as a draft until we decided whether we need to temporarily disable this check for APIv3 specifically or not.

@NobodysNightmare NobodysNightmare mentioned this pull request Mar 21, 2025
Merged
@NobodysNightmare NobodysNightmare force-pushed the validate-scopes branch 2 times, most recently from 9e0f0a1 to ef65ef5 Compare March 27, 2025 07:28
@NobodysNightmare
Validate scope of JWTs
5206187 
So far we are only accepting JWTs for requests to
APIv3 and our scopes are not more fine-grained than that.

However, warden strategies are generally responsible for validating
the scopes of a token (e.g. compare DoorkeeperOAuth) to the scope
of the currently accessed API.
@NobodysNightmare NobodysNightmare requested a review from a team April 17, 2025 08:26
@NobodysNightmare NobodysNightmare marked this pull request as ready for review April 17, 2025 08:26
Kharonus
Kharonus approved these changes Apr 22, 2025
View reviewed changes
@NobodysNightmare NobodysNightmare merged commit cdb05c0 into dev Apr 22, 2025
18 of 20 checks passed
@NobodysNightmare NobodysNightmare deleted the validate-scopes branch April 22, 2025 09:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Kharonus Kharonus Kharonus approved these changes

Assignees
No one assigned
Labels
needs review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@NobodysNightmare @Kharonus