Skip to content

Request for split(<separator>) operator #44

New issue
New issue
Open
Open
Request for split(<separator>) operator#44
@jeffsec-aws

Description

@jeffsec-aws
jeffsec-aws
opened on Jan 18, 2024

While dealing with OAuth2 tokens, the scope claim (sometimes scp for some non-compliant OIDC providers) is composed of:

The value of the scope claim is a JSON string containing a space-separated list of scopes associated with the token, in the format described in Section 3.3 of [RFC6749].

Reference: RFC8693

The value of the scope parameter is expressed as a list of space-
delimited, case-sensitive strings. The strings are defined by the
authorization server. If the value contains multiple space-delimited
strings, their order does not matter, and each string adds an
additional access range to the requested scope.

Reference: RFC6749 / Section 3.3

A policy having multiple conditions using the like operator can be a solution:

permit(
  principal,
  action,
  resource
) when {
  context.token.scope like "*ScopeA*" &&
  context.token.scope like "*ScopeB*"
};

It won't be secure if the scope value is ScopeAScopeB with no space delimiter.

While a policy including the proposed split(separator) operator, it will be more secure:

permit(
  principal,
  action,
  resource
) when {
  context.token.scope.split(" ").containsAll(["ScopeA", "ScopeB"])
};

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions