Feature Request: Scope checking in OAuth2 Plugin

[johnwiesel]

Dear all,

I really like the addition of the OAuth2 plugin to Kong.
Sadly, it seems that both the "scope" and "authenticated user" is not checked during the access filter but delegated to the API after some initial checks (existence and expiration) as far as I can tell from the code.
Imho, this defeats the purpose of delegating the OAuth2 token checks to Kong. All my APIs with OAuth2-plugin enabled will still have to implement the remaining parts of the authorization mechanism.

I wonder if anyone is already working on extend the OAuth2 plugin as follows:
1) add some sort of scopes-check
a) replacing the csv "scopes" attribute by a map of
-> scope -> verb + route
b) checking if the authorization has a scope that matches the request

lua pseudocode:

local function check_scopes(conf)
  scopes = {}
  scopes['read.users']['GET'] = '/users'
  scopes['write.users']['POST'] = '/users'
  scopes['write.users']['PUT'] = '/users'

  for scope, rule in ipairs(scopes) do
     for verb, suffix in ipairs(rule) do
         if ((ngx.req.get_method() ~= verb) and (stringy.endswith(ngx.var.request_uri, rule))) then
            return true
     end
  end

  return false
end

2) add some sort of user-check
a) for all of my relevant oauth2 protected resources, API calls have the user id as a path parameter. i assume this may be the case for many applications. it would be quite easy to (optionally) validate the request like so (lua pseudocode):

local function check_user(conf, token)
  if (conf.user_check) then
    --example with UUIDs "users/(%x%x%x%x%x%x%x%x%-%x%x%x%x%-%x%x%x%x%-%x%x%x%x%-%x%x%x%x%x%x%x%x%x%x%x%x)"
    local pattern = conf.user_check
    local requested_user_id = ngx.var.request_uri:match(pattern)

    if not requested_user_id then
        ngx.log(ngx.ERR, 'no user id matched')
        return
    end

    if not (requested_user_id == token.authenticated_userid) then
      ngx.log(ngx.ERR, 'no user id matched')
      return responses.send_HTTP_UNAUTHORIZED({[ERROR] = "invalid_token", error_description = "The access token is invalid or has expired"}, false, {["WWW-Authenticate"] = 'Bearer realm="service" error="invalid_token" error_description="The access token is invalid or has expired"'})      
    end

    return true
end

[jxstanford]

I was thinking something similar. My search for a flexible solution let me to Hydra (https://github.com/ory-am/hydra). I haven't implemented it, but I like the flexible policy specification that it uses. I almost suggested a Hydra plugin, but it overlaps with JWT, ACL, and Oauth2, so I didn't want to offend anyone :-)

Would be great to have a deeper scope/policy check in Kong.

[johnwiesel]

@jxstanford I have extended the oauth2 plugin as I suggested above. I copied the core kong2 oauth plugin and added it again as a custom plugin to override the core plugin and then started adding the scope functionality. I'd like to submit this as a PR this or next week, as soon as I can. As I am not a lua expert some things are not quite clear to me (e.g. I did e2e test with scripts but need to write unit tests, etc.).

[johnwiesel]

Well I used a dockerized version of kong to build this. I added a copy of the oauth2 plugin as a custom plugin to override the core plugin then added my changes.
The fork is here: https://github.com/itembase/kong-plugin-development/tree/feature-standaloneOAuth2
The feature branch is here: https://github.com/itembase/kong-plugin-development/tree/feature-standaloneOAuth2

Running this you can enable rules using a simple PUT (using the httpie client from cli for example):
http localhost:8001/oauth2/scopes/rules/ scope=icecream request_method=GET request_path_suffix=/icecream
This will make the scope required for any GET requests to the /icecream suffix.

I would like to know how to submit this as a PR to kong core.

[ghost]

+1

[alecl]

This looks really interesting but it's been quite a while since. No response from Kong team, @johnwiesel ? Have you done any further work on this or rolled it out into production for yourself? If so any guidance or updates on how it worked out?

[jharitesh108]

is this feature never merged?

[earllapura]

+1

[tleflond]

+1

[relaxxpls]

Hey I'm new to Lua but would like to help!
Could anyone guide where to start from?