Question by Timothy Murray (tcs) · Mar 19, 2019 at 05:16 PM · 158 Views microgateway oauth scopes

Microgateway oauth plugin does not seem to enforce scopes

I am working on a system where we are using scopes to enforce RBAC.

The edgemicro-auth proxy was not populating the scopes element on the token. I have tweaked it and now it does. And as expected if the scopes passed in do not mach any of the scopes assigned to the products in the app the scopes element is blank.

But when I use the token to access token to access a microgateway aware proxy the token is accepted whether or not it has scopes, and whether the scope is the correct scope or not.

Add comment Show 2

10 |5000 characters needed characters left characters exceeded

Imesh Gunaratne ♦ · Mar 26, 2019 at 12:43 AM 0

Link

Timothy, thanks for sharing your findings! As you have identified Edge Microgateway oauth plugin does not handle OAuth scopes at the moment. May be you could open a pull request or an issue explaining the improvements you have done. Thanks!

https://github.com/apigee/microgateway-edgeauth
https://github.com/apigee/microgateway-plugins

Dinesh Viswanath · Oct 24 at 07:05 PM 0

Link

I am working on a similar problem. I thinking of passing scopes to the target(reverse proxy'd) server to enable target proxy ensuring the sufficient scope is present before accessing.

did you manage to solve your problem? if so please share your approach. @timothymurray