I'm attempting to use OAuth with the optional service HTTP header (X-service or service) using the "client_credentials" grant type with CAS v6.0.
I have three simple services registered:
HTTP-100.json
{ "@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(http|https)://.*",
"name" : "HTTP",
"id" : 100,
"description" : "This service definition authorizes all application urls that support HTTP or HTTPS protocols.",
"evaluationOrder" : 10000
}
OAUTH_CLIENT-101.json
{ "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"clientId": "scdb_api_v1",
"clientSecret": "clientSecret11",
"name" : "OAUTH_CLIENT",
"id" : 101,
"supportedGrantTypes": [ "java.util.HashSet", [ "client_credentials" ] ],
"jsonFormat":true
}
OAUTH_CLIENT-102.json
{
"@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"clientId": "scdb_api_v2",
"clientSecret": "clientSecret22",
"name" : "OAUTH_CLIENT",
"id" : 102,
"supportedGrantTypes": [ "java.util.HashSet", [ "client_credentials" ] ],
"jsonFormat":true
}
According to the
documentation: "You may optionally also pass along a
service
or
X-service
header value that identifies the target application url. The header
value must match the OAuth service definition in the registry that is
linked to the client id."
When I execute the attached Python script I get results which do not enforce that the X-service header match the defined serviceId, instead it seems it simply must match ANY serviceId.
# TEST 1
Request access token for "X-service: http://example.com/api/v1", with credentials for API v1
Response status code: 200, data: {"access_token":"AT-16-Yz-0nTnaoeDQLMledeZByMHht1T6cL-L","token_type":"bearer","expires_in":28800,"scope":[]}
Request profile for token: AT-16-Yz-0nTnaoeDQLMledeZByMHht1T6cL-L
Response status code: 200: data: {"service":"http://example.com/api/v1","attributes":{},"id":"scdb_api_v1","client_id":"scdb_api_v1"}
# TEST 2
Request access token for "X-service: http://example.com/api/v2", but with credentials for API v1
Response status code: 200, data: {"access_token":"AT-17-PWxfLaWN4P1mxf5fKG3qamCSfxJEclsC","token_type":"bearer","expires_in":28800,"scope":[]}
Request profile for token: AT-17-PWxfLaWN4P1mxf5fKG3qamCSfxJEclsC
Response status code: 200, data: {"service":"http://example.com/api/v2","attributes":{},"id":"scdb_api_v1","client_id":"scdb_api_v2"}
# TEST 3
Request access token for "X-service: http://example.com/api/v3", but with credentials for API v1
Response status code: 200, data: {"access_token":"AT-18-pba2h3sGLPfoVRw-HEqveQ-tplPBk9De","token_type":"bearer","expires_in":28800,"scope":[]}
Request profile for token: AT-18-pba2h3sGLPfoVRw-HEqveQ-tplPBk9De
Response status code: 200, data: {"attributes":{},"id":"scdb_api_v1"}
As the results demonstrate I can use the credentials for one service to authenticate for another service!
Perhaps I have misunderstood how the X-service header is meant to be used, or how services are resolved.
But my expectation was that only TEST 1 would be able to successfully authenticate.
Any insight into this matter would be greatly appreciated.
Thanks,
-Dylan