Token scope needs to expand , currently it is limited to domain of its issuer. about ac HOT 4 CLOSED

I'm pretty sure this is not the place to change logic of when a token should be sent or not. The correct place is in the code that creates the AuthorizationToken to begin with because that code is the one that populates the list of domains.

It isn't clear how exactly that code would know/decide which domains to put in the list, but it's clearly not something the http lib can do.

For the purposes of OIDC tokens, that code is the StandardIdentityManager in https://github.com/opencadc/ac/tree/master/cadc-gms, which currently uses the hostname of the OIDC issuer.

I will transfer this issue to that repo and rename for clarity.

from ac.

The current implementation of the IentityManager has to validate/augment an incoming auth token (AuthorizationTokenPrincipal) by calling the issuer and, if successful, it creates an AuthorizationToken and adds it to the credential set so that calls can be made on the user's behalf. Use case: subsequent call to a GMS service using IvoaGroupClient.

At the point of the validate(), the code only knows it's own trusted token issuer and this only knows that the operator of that software trusts that issuer (host) as a place to send user tokens, so that's the only domain it adds to the AuthorizationToken. Given that this is the "user service" and "groups" are tightly coupled with users, this is close to being the right choice for the user case.

For example, if the issuer was https://srv.example.net/users and the GMS service was https://srv.example.net/groups then the current code would enable a service that was configured with that issuer to successfully send the token to that gms service to check groups. A slightly different setup like issuer https://issuer.example.net/ and https://gms.example.net/ would not work as-is because of the different hostnames, but that's almost a bug... I say almost because deriving a domain from a hostname and then assuming tokens are valid for the whole domain is a huge assumption that won't always be true and will sometimes be really dangerous!

I haven't seen or understood something in OIDC docs that says how code can figure out where it is safe to send tokens (eg in the context of the StandardIdentityManager.validate() method). I feel like the issuer should be the one to declare or advertise where tokens can be safely sent (which internet hosts/domains are part of it's "administrative domain")... lots TBD here and certainly open to enhancements, but they have to be safe :-)

from ac.

Would just like to flag this issue as increasingly important as the UK deployment of GMS (on a different host as IAM, but some domain) is being deployed.

from ac.

PR #143 improves this (minimally) so that AuthorizationToken includes the hostname of the OICD issuer and the hostname of a trusted GMS service (configured as usual via cadc-registry config). Since the LocalAuthority API only allows for one {standardID} = {resourceID} mapping, this enables a single GMS service that is rpesumably co-located with the OIDC issuer.

from ac.