Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request for split(<separator>) operator #44

Open
jeffsec-aws opened this issue Jan 18, 2024 · 3 comments
Open

Request for split(<separator>) operator #44

jeffsec-aws opened this issue Jan 18, 2024 · 3 comments

Comments

@jeffsec-aws
Copy link

While dealing with OAuth2 tokens, the scope claim (sometimes scp for some non-compliant OIDC providers) is composed of:

The value of the scope claim is a JSON string containing a space-separated list of scopes associated with the token, in the format described in Section 3.3 of [RFC6749].

Reference: RFC8693

The value of the scope parameter is expressed as a list of space-
delimited, case-sensitive strings. The strings are defined by the
authorization server. If the value contains multiple space-delimited
strings, their order does not matter, and each string adds an
additional access range to the requested scope.

Reference: RFC6749 / Section 3.3

A policy having multiple conditions using the like operator can be a solution:

permit(
  principal,
  action,
  resource
) when {
  context.token.scope like "*ScopeA*" &&
  context.token.scope like "*ScopeB*"
};

It won't be secure if the scope value is ScopeAScopeB with no space delimiter.

While a policy including the proposed split(separator) operator, it will be more secure:

permit(
  principal,
  action,
  resource
) when {
  context.token.scope.split(" ").containsAll(["ScopeA", "ScopeB"])
};
@shaobo-he-aws
Copy link
Contributor

Thank you for your interest, @jeffsec-aws. I have a quick question. Is it possible to preprocess the data before authorization? For instance, the scope field can be a set of strings instead of a string. So, the policy becomes,

permit(
  principal,
  action,
  resource
) when {
  context.token.scope.containsAll(["ScopeA", "ScopeB"])
};

When constructing the context, you convert the scope claim into a set of strings (e.g., by calling the string splitting function of the language you like).

@khieta
Copy link
Contributor

khieta commented Jan 18, 2024

Another path forward here might be a "Path" extension, as proposed by @D-McAdams on this thread. The constructor for a "Path" could take the delimiter (in this case a space) as input, and support containsAll/containsAny methods.

@jeffsec-aws
Copy link
Author

@shaobo-he-aws yes pre-processing is an alternative, but it means that the PEP touches the data submitted for authorization.

Having a split operator allows 3rd party Cedar oriented PDP that can consume OAuth2 tokens natively to work with the JWS natively and benefit from the digital signature protection against tampering while evaluating policies.

I understand this is niche.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@khieta @jeffsec-aws @shaobo-he-aws