-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
One security requirement satisfied, and another hard-failing #1698
Comments
Possibly related #971 |
"Security Requirement Objects that contain multiple schemes require that all schemes MUST be satisfied for a request to be authorized." |
@cmheazel If your Security Requirement Object says "A or B", and A is present and B is not, then clearly the requirement is satisfied. I understand that part. If A and B are both present, it's similarly obvious the requirement is satisfied. But if the requirement is "A or B" and A and B are both present, and A is incorrect, is the requirement satisfied? By the letter of the spec, it is, because B is present and correct. I would argue this is incorrect, however. The client is trying to authenticate as A and is failing, so something is not right here. |
Let's start with Example 1:
There are two security requirements, each with one scheme. Access is allowed if either scheme1 or scheme2 is valid. Next we look at example 2:
In this case we have one security requirement which contains two schemes. Access is allowed only if both scheme3 and scheme4 are valid. Finally we bring it all together in example 3:
Access is governed by the following Boolean expression: Does that help? |
Maybe a table will help. Let's say we're in example 1. Access is allowed if scheme1 is valid or scheme2 is valid. A given security requirement can be in one of three states; valid, missing, or invalid. For example, if you need a basic auth header, the auth header can not be there at all (missing), it can be there with a valid username and password (valid), or it can be there, but have an invalid username, or valid username but the wrong password (invalid).
These "???"s are the bit I'm concerned with. You assertion is that, in the upper right corner here, even though the user has provided invalid credentials for scheme1, we should still allow the request through, because they provided valid credentials for scheme2, and since this satisfies the boolean logic "s1 || s2", we're good. My assertion is that an invalid credential should be treated less like a My implementation does exactly this second one, but I've had this same discussion many times, and I always come to a different conclusion about how it should be handled. :) |
"When a list of Security Requirement Objects is defined on the Open API object or Operation Object, only one of Security Requirement Objects in the list needs to be satisfied to authorize the request." IF securityRqmt1 is present and scheme1 is valid THEN allow access So the value for ???? should be "allow" since one of the security requirements was satisfied. |
Ah, but, in your implementation our truth table ends up looking like:
One of the ??? becomes allow (because we check s1 first), but the second becomes a reject (because we catch the error from s2). This gives us a truth table that is weirdly not symmetric. It also implies that the ordering of security requirements is significant, which I'm not sure the spec implies. |
closing this one as not so munch activity , |
@niallmccullagh and I were having a discussion over here which I've had more than once with a few people, and everyone has a different opinion about how this scenario should work. Let's suppose you have a security requirement that looks like:
So to access this operation, you either need a valid session key, or a valid basic auth header.
Now, let's suppose a client sends a valid session key, but also sends a basic auth header with a username but the incorrect password. The question is:
The text was updated successfully, but these errors were encountered: