#913 Support RFC 8693 (OAuth 2.0 Token Exchange) for the "scope" claim in ScopesAuthorizer

[mehyaa]

Fixes #913

• AllowedScopes does not match string array in JWT scope claim #913

Scopes can be a space separated list in a single claim. Include this possibility on allowed scopes check.

Proposed Changes

• Split user scopes if scope claim value is a single space-separated claim

[mehyaa]

The build is broken, it fails on irrelevant part from this PR. #1436 fixes is I think.

[PatrickDelancy]

This is still an issue. Adding my 👍 to get this small and valuable PR merged.

[raman-m]

Mehmet,
Thanks for resolving of merge conflicts!

Unfortunately the last build is failed: 5 acceptance tests have failed!

Why is your PR code so unstable?

[mehyaa]

I haven't found out the reason why the tests failed with a quick look. I couldn't figure out the tests structure. When I have time I'll look into it.

[raman-m]

@mehyaa
The feature branch has been rebased onto ThreeMammals:develop successfully!
The build has failed with 5 tests!
Code review will start after fixing of these failed tests.
Also, some new tests should cover your proposed changes in the ScopesAuthorizer class.

Could you add me as collaborator to your forked repo please? I will fix develop branch because now it has the diff, but both develop branches should be identical.

[mehyaa]

@raman-m I've fixed the tests. Failing tests were written for the bug that requires one of allowed scopes. I've changed the claims and allowed scopes on tests so they can test the correct conditions.

For adding new tests to test ScopesAuthorizer, the current tests seem pretty sufficient.

[mehyaa]

@raman-m I've added you as collaborator on my fork, you can fix the diff or guide me to how-to.

[mehyaa]

Interestingly some irrelevant tests fail irregularly.

[raman-m]

@mehyaa commented on Sep 14, 11:38 AM

Thanks for fixing of failed tests!

---

For adding new tests to test ScopesAuthorizer, the current tests seem pretty sufficient.

No, at least one new test should cover claims logic having them multiple in the related config property.
Simultaneously, we should update current tests to be green. Because each test covers specific atomic feature.

Come on! We've changed the logic from single Scope to multiple ones! And it is definitely right time to cover these changes.

I have idea: let's write tests for each linked issue:

• a test for AllowedScopes does not match string array in JWT scope claim #913 where you can ask @fsmullinslc to help you
• a test for Switching between a scope's matching strategies #1066 where you can ask @papugamichal to help you

Sounds good?

[raman-m]

@mehyaa commented on Sep 15

Don't worry! This is unstable scenario: Ocelot.AcceptanceTests.ConfigurationReloadTests.should_reload_config_on_change
The next run fixes the build usually.
Truly speaking, I am tired of this test too. I will create bug issue soon for this test.

[raman-m]

@mehyaa
Why not to continue working? Firstly resolving all merge conflicts and merging from develop...

[raman-m]

I like this, guys! Let's close the PR and open once again 🤣

[raman-m]

Oops, I've changed my mind. I forgot that PR is now part of the .NET 10 milestone.

[mehyaa]

@raman-m the last close/open was by mistake, my bad.

I've figured out the acceptance tests' problem, the token server was misconfigured. I've added a fix there too. You need to review.

On my machine Http20CLient_DirectConnection_ShouldConnect test keeps failing but it seem nothing to do with my changes and I didn't see the test in recent actions as well. Can you look into it?

The tests are passing now.

[ggnaegi]

Why userScopes.Count == 1 ?

That will be a error if a provider supplied scope claim as an array that some of the values are space-separated.

@mehyaa could you just comment this in code please. It's fine for me and i will approve your PR.

[mehyaa]

Why userScopes.Count == 1 ?

That will be a error if a provider supplied scope claim as an array that some of the values are space-separated.

@mehyaa could you just comment this in code please. It's fine for me and i will approve your PR.

Added a comment to the code.

[raman-m]

The code looks much better now, with some minor but valuable suggestions noted below.

It seems acceptance testing is complete, and I will review unit testing and code coverage later.

[raman-m]

Ready for delivery ✅

• Code review ✔️ ✔️
• Unit testing ✔️ ✔️
• Acceptance testing ✔️
• Updated docs ✔️

[raman-m]

@mehyaa Congrats, Mehmet! 🥳
After more than 4 years, we finally made it!
This is your first contribution to the project, and we truly appreciate it 👍
Thanks for being available online this weekend.