Dear Chris,
As per my understanding, here is how it works on gateway system.
1. on design stage,
-- define what scopes will be accepted by an API -- scopesA
-- define oauth clients and their scopes. -- scopesB
2. on implement stage,
-- register oauth clients on /oauth/manager with the scopes
-- in the API policy, validate the token and scope (with OTK Require OAuth 2.0 Token assertion)
3. at run time,
the client authorises against OTK and retrieves the access token (associated to an oauth client and scopesB) and call the API with the token --> when executing API policy and validate the token/scope, if token is valid and scopesA is a sub set of scopesB, validation successful and continue, otherwise the API rejects the request and returns error.
To modify scopesB, you can do it on /oauth/manager.
To modify scopesA, you need to modify policy of API
( you're right scopesA and scopesB are kind of hard coded, but I think it's expected as you define the permission of this API, and the oauth client needs to be granted to the same permission to use this API, I don't think they're expected to be changed at run time.)
Regards,
Mark
Original Message:
Sent: 01-03-2020 11:35 AM
From: Chris Bertagnolli
Subject: Scope management in API Gateway
An example using another popular product. Within the Authorization Server I can add scopes + descriptions centrally, then create an application group and define a Web API with X scopes. Then I add clients to this application groups, select the scopes (from the configured list), and now can easily manage them.
If I want to remove a scope completely, go to central location and delete it and it's now gone from every client. Or change the scope name/description.
But that product also has some drawbacks too.
Is that possible in the GW? Or can I rename a scope if needed and have it propagate to all clients?
I'm trying to get the best of both worlds within the API Gateway. The biggest hang up I have at the moment is how scopes are managed from resource defined scope -> assigning to client -> enforcing at API GW policy. Unless I'm really misunderstanding the documentation or there's some other recommendation from Broadcom on how to handle the concept of a resource -> defined scopes -> client assigned scoped it seemed like it was pretty manual?
Original Message:
Sent: 01-03-2020 11:21 AM
From: Chris Bertagnolli
Subject: Scope management in API Gateway
Yes, I understand the use of scopes themselves and all the various RFCs associated with OAuth/OIDC. What I'm looking for specifically is how the API Gateway OTK - which is the Authorization Server - manages scopes across potentially hundreds of clients; this is application design specific and not within the realm of the OAuth framework RFCs.
As I read the documentation it appears it does absolutely no scope management really. It's simply a client with a hard coded list of "scopes" which is not maintainable. If I want to remove a scope from all clients, my only recourse is to sort through every client that has this hard coded value and remove it from them; additionally I also then have to manually track which API Gateway security policies use that and update them as well. I should be able to go into a central repository of scopes assigned to a resource and simply delete it.
Just seems like it is not maintainable or well designed for scopes.
Original Message:
Sent: 01-02-2020 07:26 PM
From: Zhijun He
Subject: Scope management in API Gateway
Hello Chris,
As per my understanding, the API is to access the resource, the scope means the scope of the resource, ie. what resource (api) the oauth client can access.
Therefore, if an API (resource) is open to everyone, you don't need to validate the scope, if the API/resource is for certain oauth client only, then you can validate the scope.
Setting the scope for an oauth client will define what API(resource) this oauth client can access.
You may find more details from oauth RFC documents, or other oauth documents. The gateway product document will not have those knowledges, same as the product document will not have knowledge about xml, http, etc.
Regards,
Mark
Original Message:
Sent: 01-02-2020 06:56 PM
From: Chris Bertagnolli
Subject: Scope management in API Gateway
Looking at a broad use of OAuth access tokens for delegates API access. Still at kind of documentation/investigation stage with the API Gateway itself and a little concerned with scope management.
According to the documentation: "The scope is a space-separated list of values that apply to OAuth 2.0 clients only and limit access for OAuth tokens. A client is initially registered with a set of scope values."
As I interpret that, I have to essentially hard code scope lists across multiple clients, am I reading that correct? If that is true, that makes using API Gateway far less attractive than other products.
Is there any better documentation of recommend best practices for scope management with the OAuth Toolkit?
Logically I want to have application groups, assign that application XYZ scopes (w/ some description), register clients to that application and assign them certain scopes from the list. That doesn't appear to be doable here with the OTK management GUI and assertions (which also appear to rely on hard coded values).