Changed scopes claim retrival to use the scp field instead of the scps#37
Open
thomascrha wants to merge 1 commit intoantarctica:mainfrom
Open
Changed scopes claim retrival to use the scp field instead of the scps#37thomascrha wants to merge 1 commit intoantarctica:mainfrom
thomascrha wants to merge 1 commit intoantarctica:mainfrom
Conversation
to match the current spec.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Within the current implementation flask-entra-auth tries to extract the scopes from the token claims using the
scpskey - this key doesn't seem to exist within the claim spec - see here https://learn.microsoft.com/en-us/entra/identity-platform/access-token-claims-reference#payload-claimsWithin the spec itself the string scps is never mentioned and I can't find if this was potentially changed at some point - so my assumption is that this functionality has never worked.
Currently the lib assumes that the scopes are an array of strings (similar to roles) - but according to the spec the scopes (scp) is a "String, a space separated list of scopes" - What this means is that in the current implementation no scopes are ever actually captured and can never be checked against.
I've adjusted the test suite also and have them all passing
Linked issue: #38