Microgateway oauth plugin does not seem to enforce scopes

I am working on a system where we are using scopes to enforce RBAC.

The edgemicro-auth proxy was not populating the scopes element on the token. I have tweaked it and now it does. And as expected if the scopes passed in do not mach any of the scopes assigned to the products in the app the scopes element is blank.

But when I use the token to access token to access a microgateway aware proxy the token is accepted whether or not it has scopes, and whether the scope is the correct scope or not.

1 2 377
2 REPLIES 2

Timothy, thanks for sharing your findings! As you have identified Edge Microgateway oauth plugin does not handle OAuth scopes at the moment. May be you could open a pull request or an issue explaining the improvements you have done. Thanks!

https://github.com/apigee/microgateway-edgeauth
https://github.com/apigee/microgateway-plugins

I am working on a similar problem. I thinking of passing scopes to the target(reverse proxy'd) server to enable target proxy ensuring the sufficient scope is present before accessing.

did you manage to solve your problem? if so please share your approach. @timothymurray