Matching scope claims

[mattcallow]

Hi, I'm using mod_oauth2 and am having trouble validating the scope from a JWT.
I have a JWT with the following scope claim:
"scope": "scopeA scopeB",

If I have the following config in my apache.conf, the request passes authorization:

Require oauth2_claim "scope:scopeA scopeB"
And I see the following entries in the log (with debug turned on)

42:54630] oauth2_apache_authorize: evaluating claim/expr specification: scope:scopeA scopeB
<snip>
[Mon Nov 28 11:39:45.515344 2022] [oauth2:debug] [pid 348179:tid 140378186450688] src/server/apache.c(927): [client ***] oauth2_apache_authz_match_claim: evaluating key "scope"
[Mon Nov 28 11:39:45.515348 2022] [oauth2:debug] [pid 348179:tid 140378186450688] src/server/apache.c(838): [client ***] oauth2_apache_authz_match_value: matching: spec_c=scopeA scopeB, key=scope
[Mon Nov 28 11:39:45.515353 2022] [oauth2:debug] [pid 348179:tid 140378186450688] src/server/apache.c(1029): [client ***] oauth2_apache_authorize: require claim/expr 'scope:scopeA scopeB' matched
[Mon Nov 28 11:39:45.515358 2022] [oauth2:debug] [pid 348179:tid 140378186450688] src/mod_oauth2.c(240): [client ***] oauth2_authz_checker: leave
[Mon Nov 28 11:39:45.515362 2022] [authz_core:debug] [pid 348179:tid 140378186450688] mod_authz_core.c(820): [client ***] AH01626: authorization result of Require oauth2_claim "scope:scopeA scopeB": granted
[Mon Nov 28 11:39:45.515367 2022] [authz_core:debug] [pid 348179:tid 140378186450688] mod_authz_core.c(820): [client ***] AH01626: authorization result of <RequireAny>: granted

But, if I only require one of the scopes:
Require oauth2_claim "scope:scopeA"

it fails authorization

[Mon Nov 28 11:44:43.249588 2022] [oauth2:debug] [pid 348400:tid 140378169665280] src/server/apache.c(1024): [client ***] oauth2_apache_authorize: evaluating claim/expr specification: scope:scopeA
<snip>
[Mon Nov 28 11:44:43.249790 2022] [oauth2:debug] [pid 348400:tid 140378169665280] src/server/apache.c(927): [client ***] oauth2_apache_authz_match_claim: evaluating key "scope"
[Mon Nov 28 11:44:43.249794 2022] [oauth2:debug] [pid 348400:tid 140378169665280] src/server/apache.c(838): [client ***] oauth2_apache_authz_match_value: matching: spec_c=scopeA, key=scope
[Mon Nov 28 11:44:43.249802 2022] [oauth2:debug] [pid 348400:tid 140378169665280] src/server/apache.c(927): [client ***] oauth2_apache_authz_match_claim: evaluating key "gty"
[Mon Nov 28 11:44:43.249809 2022] [oauth2:debug] [pid 348400:tid 140378169665280] src/server/apache.c(365): [client ***] oauth2_apache_return_www_authenticate: enter
[Mon Nov 28 11:44:43.249818 2022] [oauth2:debug] [pid 348400:tid 140378169665280] src/server/apache.c(457): [client ***] oauth2_apache_hdr_out_add: WWW-Authenticate: Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."
[Mon Nov 28 11:44:43.249880 2022] [oauth2:debug] [pid 348400:tid 140378169665280] src/server/apache.c(389): [client ***] oauth2_apache_return_www_authenticate: leave
[Mon Nov 28 11:44:43.249890 2022] [oauth2:debug] [pid 348400:tid 140378169665280] src/mod_oauth2.c(235): [client ***] oauth2_authz_checker: setting environment variable OAUTH2_BEARER_SCOPE_ERROR to "Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."" for usage in mod_headers
[Mon Nov 28 11:44:43.249896 2022] [oauth2:debug] [pid 348400:tid 140378169665280] src/mod_oauth2.c(240): [client ***] oauth2_authz_checker: leave
[Mon Nov 28 11:44:43.249905 2022] [authz_core:debug] [pid 348400:tid 140378169665280] mod_authz_core.c(820): [client ***] AH01626: authorization result of Require oauth2_claim "scope:scopeA": denied
[Mon Nov 28 11:44:43.249913 2022] [authz_core:debug] [pid 348400:tid 140378169665280] mod_authz_core.c(820): [client ***] AH01626: authorization result of <RequireAny>: denied

Similarly, if I swap the order of the required scopes
Require oauth2_claim "scope:scopeB scopeA"

authorization also fails.

[Mon Nov 28 11:47:22.045452 2022] [oauth2:debug] [pid 348628:tid 140378169534208] src/server/apache.c(1024): [client *] oauth2_apache_authorize: evaluating claim/expr specification: scope:scopeB scopeA
<snip>
[Mon Nov 28 11:47:22.045488 2022] [oauth2:debug] [pid 348628:tid 140378169534208] src/server/apache.c(927): [client *] oauth2_apache_authz_match_claim: evaluating key "scope"
[Mon Nov 28 11:47:22.045492 2022] [oauth2:debug] [pid 348628:tid 140378169534208] src/server/apache.c(838): [client *] oauth2_apache_authz_match_value: matching: spec_c=scopeB scopeA, key=scope
[Mon Nov 28 11:47:22.045497 2022] [oauth2:debug] [pid 348628:tid 140378169534208] src/server/apache.c(927): [client *] oauth2_apache_authz_match_claim: evaluating key "gty"
[Mon Nov 28 11:47:22.045504 2022] [oauth2:debug] [pid 348628:tid 140378169534208] src/server/apache.c(365): [client *] oauth2_apache_return_www_authenticate: enter
[Mon Nov 28 11:47:22.045513 2022] [oauth2:debug] [pid 348628:tid 140378169534208] src/server/apache.c(457): [client *] oauth2_apache_hdr_out_add: WWW-Authenticate: Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."
[Mon Nov 28 11:47:22.045518 2022] [oauth2:debug] [pid 348628:tid 140378169534208] src/server/apache.c(389): [client *] oauth2_apache_return_www_authenticate: leave
[Mon Nov 28 11:47:22.045525 2022] [oauth2:debug] [pid 348628:tid 140378169534208] src/mod_oauth2.c(235): [client *] oauth2_authz_checker: setting environment variable OAUTH2_BEARER_SCOPE_ERROR to "Bearer error="insufficient_scope", error_description="Different scope(s) or other claims required."" for usage in mod_headers
[Mon Nov 28 11:47:22.045531 2022] [oauth2:debug] [pid 348628:tid 140378169534208] src/mod_oauth2.c(240): [client *] oauth2_authz_checker: leave
[Mon Nov 28 11:47:22.045538 2022] [authz_core:debug] [pid 348628:tid 140378169534208] mod_authz_core.c(820): [client *] AH01626: authorization result of Require oauth2_claim "scope:scopeB scopeA": denied
[Mon Nov 28 11:47:22.045543 2022] [authz_core:debug] [pid 348628:tid 140378169534208] mod_authz_core.c(820): [client *] AH01626: authorization result of <RequireAny>: denied

I'm using mod_oauth2.x86_64 3.2.3-1.el8

Looking at https://www.rfc-editor.org/rfc/rfc6749#section-3.3 it says:

The value of the scope parameter is expressed as a list of space-
delimited, case-sensitive strings. The strings are defined by the
authorization server. If the value contains multiple space-delimited
strings, their order does not matter, and each string adds an
additional access range to the requested scope.

Am I missing something? I thought that all of these configurations should pass authorization.

Thanks

Matt

[zandbelt]

you're referring to a spec item that defines how the client can request multiple scopes in an authorization request using url-encoded parameters; that is different from the server passing back granted scopes in a JWT token; in fact for the latter, there is no formal definition but since we are dealing with multiple values in a JWT, the obvious thing to do is pass them back in an array; in your setup, the space delimited value right now is treated as a single string value (with a space); if you can make your server pass back scope values in an array, you can inspect the individual scope values

[mattcallow]

Hi. Thanks for the quick response. Indeed, that section of the RFC does refer to the client request, however it is also referenced in the response (Section 5.1)

scope
OPTIONAL, if identical to the scope requested by the client;
otherwise, REQUIRED. The scope of the access token as
described by Section 3.3.

I'm using Auth0, and it returns multiple scopes as a single space separated string, which I think matches the above.

rfc7662 also specifies the token introspection response which includes:

scope
OPTIONAL. A JSON string containing a space-separated list of
scopes associated with this token, in the format described in
Section 3.3 of OAuth 2.0 [RFC6749].

I also found an example in rfc7662 which matches the above format

{
"active": true,
"client_id": "l238j323ds-23ij4",
"username": "jdoe",
"scope": "read write dolphin",
"sub": "Z5O3upPC88QrAjx00dis",
"aud": "https://protected.example.net/resource",
"iss": "https://server.example.com/",
"exp": 1419356238,
"iat": 1419350238,
"extension_field": "twenty-seven"
}

Of course, I could be reading these wrong. But to me it looks like the scope should be a single string, with multiple scopes separated by space.

Matt

[zandbelt]

ah, you're right; it seems I got my wires crossed here; I think you'll have to spell out the combinations of scopes you can expect then

[studersi]

We actually ran into the same issue and due to the number of scopes, listing the combinations is not practical. Even with just 5 scopes there are 120 permutations, which would mean 120 Require statements. Are there any plans to add an alternative way of doing this (e.g. along the lines of mod_auth_openidc - Authorization)?

[zandbelt]

can you try OpenIDC/liboauth2@3817074

[studersi]

@zandbelt Thank you for your quick response. I'll see if we can have this built and packaged for testing.

[studersi]

@zandbelt I tried tried the suggested version and matching the scopes appears to work as intended. Thank you for the quick implementation!

[mattcallow]

OK. I don't think that will be practical for me. I will look for an alternative solution to handle the scope validation.