Old description outdated after January 2, 2025
Expected Behavior / New Feature
Allowed Scopes documentation says:
If you add scopes to AllowedScopes Ocelot will get all the user claims (from the token) of the type scope and make sure that the user has all of the scopes in the list.
This is a way to restrict access to a Route on a per scope basis.
ScopesAuthoriser.Authorize method:
|
var matchesScopes = routeAllowedScopes.Intersect(userScopes); |
Example:
Token contains Scope: "A"
Defined route AllowedScopes: "A", "B"
Ocelot should reject request to be fair with documentation.
Actual Behavior / Motivation for New Feature
Example
Token contains Scope: "A".
Defined route AllowedScopes: "A", "B"
Ocelot allow to pass request, even when token do not contains all required scopes!
Change proposal
Change:
var matchesScopes = routeAllowedScopes.Intersect(userScopes).ToList();
To:
var matchesScopes = routeAllowedScopes.All(e => userScopes.Contains(e));
Or, change misleading information in documentation.
New Feature
To be written...
Old description outdated after January 2, 2025
Expected Behavior / New Feature
Allowed Scopes documentation says:
ScopesAuthoriser.Authorize method:
Ocelot/src/Ocelot/Authorization/ScopesAuthorizer.cs
Line 33 in 35dbc9d
Example:
Token contains Scope: "A"
Defined route AllowedScopes: "A", "B"
Ocelot should reject request to be fair with documentation.
Actual Behavior / Motivation for New Feature
Example
Token contains Scope: "A".
Defined route AllowedScopes: "A", "B"
Ocelot allow to pass request, even when token do not contains all required scopes!
Change proposal
Change:
var matchesScopes = routeAllowedScopes.Intersect(userScopes).ToList();To:
var matchesScopes = routeAllowedScopes.All(e => userScopes.Contains(e));Or, change misleading information in documentation.
New Feature
To be written...