Bug #17610
closed
[API] Federated token scopes are not obeyed if scopes include "GET .../users/current"
Added by Tom Clegg over 3 years ago.
Updated over 3 years ago.
Release relationship:
Auto
- Target version set to 2021-05-12 sprint
- Assigned To set to Tom Clegg
- Status changed from New to In Progress
Previously, in order for a token to work at a remote cluster, it had to include "GET /arvados/v1/users/current" in scopes.
Now it also has to include "GET /arvados/v1/api_client_authorizations/current".
This allows the remote cluster to obey its scopes and expiry time.
The new behavior only takes effect when both the token-checking cluster and the token-issuing cluster have been upgraded.
17610-remote-token-scopes @ 89fa46a357a5d5fc39721a3ddbe8e857a101eeef -- developer-run-tests: #2448 
Tom Clegg wrote:
Previously, in order for a token to work at a remote cluster, it had to include "GET /arvados/v1/users/current" in scopes.
Now it also has to include "GET /arvados/v1/api_client_authorizations/current".
This allows the remote cluster to obey its scopes and expiry time.
The new behavior only takes effect when both the token-checking cluster and the token-issuing cluster have been upgraded.
17610-remote-token-scopes @ 89fa46a357a5d5fc39721a3ddbe8e857a101eeef -- developer-run-tests: #2448
Thanks, this LGTM!
- % Done changed from 0 to 100
- Status changed from In Progress to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by