Bug #17610
[API] Federated token scopes are not obeyed if scopes include "GET .../users/current"
100%
Subtasks
Related issues
Associated revisions
History
#1
Updated by Tom Clegg about 1 year ago
Updated by - Target version set to 2021-05-12 sprint
- Assigned To set to Tom Clegg
- Status changed from New to In Progress
#2
Updated by Tom Clegg about 1 year ago
Previously, in order for a token to work at a remote cluster, it had to include "GET /arvados/v1/users/current" in scopes.
Now it also has to include "GET /arvados/v1/api_client_authorizations/current".
This allows the remote cluster to obey its scopes and expiry time.
The new behavior only takes effect when both the token-checking cluster and the token-issuing cluster have been upgraded.
17610-remote-token-scopes @ 89fa46a357a5d5fc39721a3ddbe8e857a101eeef -- developer-run-tests: #2448
#3
Updated by Ward Vandewege about 1 year ago
Updated by - Blocks Story #17512: Release Arvados 2.2 added
#4
Updated by Ward Vandewege about 1 year ago
Tom Clegg wrote:
Previously, in order for a token to work at a remote cluster, it had to include "GET /arvados/v1/users/current" in scopes.
Now it also has to include "GET /arvados/v1/api_client_authorizations/current".
This allows the remote cluster to obey its scopes and expiry time.
The new behavior only takes effect when both the token-checking cluster and the token-issuing cluster have been upgraded.
17610-remote-token-scopes @ 89fa46a357a5d5fc39721a3ddbe8e857a101eeef -- developer-run-tests: #2448
Thanks, this LGTM!
#5
Updated by Tom Clegg about 1 year ago
- % Done changed from 0 to 100
- Status changed from In Progress to Resolved
Applied in changeset arvados|6e8530d7d4c7fffe5697fe7269141f8bfef11e68.
#6
Updated by Peter Amstutz about 1 year ago
Updated by - Release set to 38
Merge branch '17610-remote-token-scopes'
fixes #17610
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>