Bug #17610
[API] Federated token scopes are not obeyed if scopes include "GET .../users/current"
100%
Subtasks
Related issues
Associated revisions
History
Updated by #2
Updated by Tom Clegg 7 months ago
Previously, in order for a token to work at a remote cluster, it had to include "GET /arvados/v1/users/current" in scopes.
Now it also has to include "GET /arvados/v1/api_client_authorizations/current".
This allows the remote cluster to obey its scopes and expiry time.
The new behavior only takes effect when both the token-checking cluster and the token-issuing cluster have been upgraded.
17610-remote-token-scopes @ 89fa46a357a5d5fc39721a3ddbe8e857a101eeef -- https://ci.arvados.org/view/Developer/job/developer-run-tests/2448/
#3
Updated by Ward Vandewege 7 months ago
Updated by - Blocks Story #17512: Release Arvados 2.2 added
#4
Updated by Ward Vandewege 7 months ago
Tom Clegg wrote:
Previously, in order for a token to work at a remote cluster, it had to include "GET /arvados/v1/users/current" in scopes.
Now it also has to include "GET /arvados/v1/api_client_authorizations/current".
This allows the remote cluster to obey its scopes and expiry time.
The new behavior only takes effect when both the token-checking cluster and the token-issuing cluster have been upgraded.
17610-remote-token-scopes @ 89fa46a357a5d5fc39721a3ddbe8e857a101eeef -- https://ci.arvados.org/view/Developer/job/developer-run-tests/2448/
Thanks, this LGTM!
#5
Updated by Tom Clegg 7 months ago
- % Done changed from 0 to 100
- Status changed from In Progress to Resolved
Applied in changeset arvados|6e8530d7d4c7fffe5697fe7269141f8bfef11e68.
#6
Updated by Peter Amstutz 7 months ago
Updated by - Release set to 38
Merge branch '17610-remote-token-scopes'
fixes #17610
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>