Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-2262

OpenID / OAuth token validation flow changes

    XMLWordPrintable

Details

    • Epic
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Done
    • 2.5 CR1
    • None
    • Gateway
    • None
    • OpenID / OAuth token validation flow changes
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • To Do
    • 100
    • 100% 100%

    Description

      3scale backend authorizes the application before sending it upstream. And you are using a Client that is supposed to have access to 3scale regardless of what authentication flow you use. You want to further restrict it and reject that access in some cases. To make that happen we would:

      • Remove checking aud for the app_id
      • Make azp claim configurable (where we expect the app_id), so we can be compatible with other IDPs.
      • Introduce a policy for arbitrary JWT claim verification. You'll be able to require whatever aud claim you want (and even use liquid like in the other policies)

      Attachments

        Activity

          People

            Unassigned Unassigned
            vramosp Vanessa Ramos (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: