Skip to content

Request for split(<separator>) operator #44

Description

@jeffsec-aws

While dealing with OAuth2 tokens, the scope claim (sometimes scp for some non-compliant OIDC providers) is composed of:

The value of the scope claim is a JSON string containing a space-separated list of scopes associated with the token, in the format described in Section 3.3 of [RFC6749].

Reference: RFC8693

The value of the scope parameter is expressed as a list of space-
delimited, case-sensitive strings. The strings are defined by the
authorization server. If the value contains multiple space-delimited
strings, their order does not matter, and each string adds an
additional access range to the requested scope.

Reference: RFC6749 / Section 3.3

A policy having multiple conditions using the like operator can be a solution:

permit(
  principal,
  action,
  resource
) when {
  context.token.scope like "*ScopeA*" &&
  context.token.scope like "*ScopeB*"
};

It won't be secure if the scope value is ScopeAScopeB with no space delimiter.

While a policy including the proposed split(separator) operator, it will be more secure:

permit(
  principal,
  action,
  resource
) when {
  context.token.scope.split(" ").containsAll(["ScopeA", "ScopeB"])
};

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions