OAuth with Service Header Problem

[Dylan Maxwell]

I'm attempting to use OAuth with the optional service HTTP header (X-service or service) using the "client_credentials" grant type with CAS v6.0.

I have three simple services registered:

HTTP-100.json

{

 "@class" : "org.apereo.cas.services.RegexRegisteredService",

 "serviceId" : "^(http|https)://.*",

 "name" : "HTTP",

 "id" : 100,

 "description" : "This service definition authorizes all application urls that support HTTP or HTTPS protocols.",

 "evaluationOrder" : 10000

}

OAUTH_CLIENT-101.json

{

 "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",

 "clientId": "scdb_api_v1",

 "clientSecret": "clientSecret11",

 "name" : "OAUTH_CLIENT",

 "id" : 101,

 "serviceId" : "http://example.com/api/v1",

 "supportedGrantTypes": [ "java.util.HashSet", [ "client_credentials" ] ],

 "jsonFormat":true

}

OAUTH_CLIENT-102.json

{

 "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",

 "clientId": "scdb_api_v2",

 "clientSecret": "clientSecret22",

 "name" : "OAUTH_CLIENT",

 "id" : 102,

 "serviceId" : "http://example.com/api/v2",

 "supportedGrantTypes": [ "java.util.HashSet", [ "client_credentials" ] ],

 "jsonFormat":true

}

According to the documentation: "You may optionally also pass along a service or X-service header value that identifies the target application url. The header value must match the OAuth service definition in the registry that is linked to the client id."

When I execute the attached Python script I get results which do not enforce that the X-service header match the defined serviceId, instead it seems it simply must match ANY serviceId.

# TEST 1
Request access token for "X-service: http://example.com/api/v1", with credentials for API v1
Response status code: 200, data: {"access_token":"AT-16-Yz-0nTnaoeDQLMledeZByMHht1T6cL-L","token_type":"bearer","expires_in":28800,"scope":[]}

Request profile for token: AT-16-Yz-0nTnaoeDQLMledeZByMHht1T6cL-L
Response status code: 200: data: {"service":"http://example.com/api/v1","attributes":{},"id":"scdb_api_v1","client_id":"scdb_api_v1"}

# TEST 2
Request access token for "X-service: http://example.com/api/v2", but with credentials for API v1
Response status code: 200, data: {"access_token":"AT-17-PWxfLaWN4P1mxf5fKG3qamCSfxJEclsC","token_type":"bearer","expires_in":28800,"scope":[]}

Request profile for token: AT-17-PWxfLaWN4P1mxf5fKG3qamCSfxJEclsC
Response status code: 200, data: {"service":"http://example.com/api/v2","attributes":{},"id":"scdb_api_v1","client_id":"scdb_api_v2"}

# TEST 3
Request access token for "X-service: http://example.com/api/v3", but with credentials for API v1
Response status code: 200, data: {"access_token":"AT-18-pba2h3sGLPfoVRw-HEqveQ-tplPBk9De","token_type":"bearer","expires_in":28800,"scope":[]}

Request profile for token: AT-18-pba2h3sGLPfoVRw-HEqveQ-tplPBk9De
Response status code: 200, data: {"attributes":{},"id":"scdb_api_v1"}

As the results demonstrate I can use the credentials for one service to authenticate for another service!

Perhaps I have misunderstood how the X-service header is meant to be used, or how services are resolved.

But my expectation was that only TEST 1 would be able to successfully authenticate.

Any insight into this matter would be greatly appreciated.

Thanks,

-Dylan