Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add API-Name aka wild-card scope #103

Merged
merged 3 commits into from
Jun 12, 2024

Conversation

AxelNennker
Copy link
Collaborator

What type of PR is this?

Allow clients to request the scope sim-swap and get access to both sim-swap-check and sim-swap-data

What this PR does / why we need it:

Let the SimSwap subgroup define support for the wildcard scope sim-swap.

See also: camaraproject/Commonalities#184 (comment)

@fernandopradocabrillo
Copy link
Collaborator

@AxelNennker after reading the related issue I think we should wait for ICM final decision before adding anything

@AxelNennker
Copy link
Collaborator Author

@AxelNennker after reading the related issue I think we should wait for ICM final decision before adding anything

Hi @fernandopradocabrillo , hi @bigludo7 ,

I believe that "wildcard" and "purpose" were mixed together in ICM's purpose discussion because an example about "purpose" contained a wildcard scope.

Strong recommendation for format samples:
dpv:FraudPreventionAndDetection#retrieve-sim-swap-date
dpv:FraudPreventionAndDetection#check-sim-swap
dpv:FraudPreventionAndDetection#sim-swap (*)
(*)Use api name when all scopes are included

Now we have "purpose" defined in Camara Security and Interoperability Profile.

I think because scope guidlelines are in https://github.com/camaraproject/Commonalities/blob/main/documentation/API-design-guidelines.md#1161-scope-naming the "wild-card" or <API-Name> guideline should be there.

I guess, if the SimSwap-WG wants to wait on scope guidelines then we should wait for Commonalities.

bigludo7
bigludo7 previously approved these changes May 30, 2024
Copy link
Collaborator

@bigludo7 bigludo7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/LGTM

Comment on lines 69 to 72
- openId:
- sim-swap:retrieve-date
- openId:
- sim-swap
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we don't need to repeat the "openId", we can just add it to the existing array

Suggested change
- openId:
- sim-swap:retrieve-date
- openId:
- sim-swap
- openId:
- sim-swap:retrieve-date
- sim-swap

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that two scopes mean that both scopes must be in the access token at the same time.

https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.3.md#security-requirement-object

If the security scheme is of type "oauth2" or "openIdConnect", then the value is a list of scope names required for the execution, ....

For example if the API has a scopes "write:pets" and "read:pets" then the "manage" endpoint requires both scopes, while the getById endpoint just needs "read:pets".

The way I proposed means: "one of the security objects must fit"
So, I think, that

        - openId:
          - sim-swap:retrieve-date
        - openId:
          - sim-swap

means that if the access token has scope sim-swap:retrieve-date then pass or if the access token has scope sim-swap then pass.

The client can thus request an access token with the scope sim-swap and the the AZ grants it. Then that access token has the scope sim-swap and the RS would let the API-request pass at both the two endpoints.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I did more research and indeed you are right so we can proceed this way

code/API_definitions/sim_swap.yaml Outdated Show resolved Hide resolved
@fernandopradocabrillo fernandopradocabrillo self-requested a review June 7, 2024 12:47
Copy link
Collaborator

@fernandopradocabrillo fernandopradocabrillo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bigludo7
Copy link
Collaborator

bigludo7 commented Jun 7, 2024

Good ! thanks @fernandopradocabrillo for the research.
I let a couple of day this PR open and will merge it (if no other comment) next week.

@bigludo7 bigludo7 dismissed stale reviews from fernandopradocabrillo and themself via f1a3e28 June 12, 2024 12:00
Fixed MegaLinter issues
@bigludo7
Copy link
Collaborator

@fernandopradocabrillo I've fixed megalinter issues so review required :)

@bigludo7 bigludo7 self-requested a review June 12, 2024 12:48
Copy link
Collaborator

@bigludo7 bigludo7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM/

Copy link
Collaborator

@fernandopradocabrillo fernandopradocabrillo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fernandopradocabrillo
Copy link
Collaborator

@fernandopradocabrillo I've fixed megalinter issues so review required :)

done! and I won't charge you extra :)

@fernandopradocabrillo fernandopradocabrillo merged commit f836b5b into camaraproject:main Jun 12, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants