Bug #17610
closed
[API] Federated token scopes are not obeyed if scopes include "GET .../users/current"
Related issues
Updated by Tom Clegg almost 3 years ago
- Target version set to 2021-05-12 sprint
- Assigned To set to Tom Clegg
- Status changed from New to In Progress
Updated by Tom Clegg almost 3 years ago
Previously, in order for a token to work at a remote cluster, it had to include "GET /arvados/v1/users/current" in scopes.
Now it also has to include "GET /arvados/v1/api_client_authorizations/current".
This allows the remote cluster to obey its scopes and expiry time.
The new behavior only takes effect when both the token-checking cluster and the token-issuing cluster have been upgraded.
17610-remote-token-scopes @ 89fa46a357a5d5fc39721a3ddbe8e857a101eeef -- developer-run-tests: #2448
Updated by Ward Vandewege almost 3 years ago
- Blocks Idea #17512: Release Arvados 2.2 added
Updated by Ward Vandewege almost 3 years ago
Tom Clegg wrote:
Previously, in order for a token to work at a remote cluster, it had to include "GET /arvados/v1/users/current" in scopes.
Now it also has to include "GET /arvados/v1/api_client_authorizations/current".
This allows the remote cluster to obey its scopes and expiry time.
The new behavior only takes effect when both the token-checking cluster and the token-issuing cluster have been upgraded.
17610-remote-token-scopes @ 89fa46a357a5d5fc39721a3ddbe8e857a101eeef -- developer-run-tests: #2448
Thanks, this LGTM!
Updated by Tom Clegg almost 3 years ago
- % Done changed from 0 to 100
- Status changed from In Progress to Resolved
Applied in changeset arvados|6e8530d7d4c7fffe5697fe7269141f8bfef11e68.
Updated by