Closed Bug 1388543 Opened 7 years ago Closed 7 years ago

Be ready to use OIDC scopes to control what Taskcluster scopes are issued

Categories

(Taskcluster :: Services, enhancement)

Product:
Taskcluster
Component:
Services
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dustin, Assigned: dustin)

References

Details

I would like to have the option, someday, of issuing only a limited set of scopes.  OIDC has a way of asking for specific kinds of access to an API (also called "scopes" but completely different).  I'm not sure how we will map OIDC scopes to Taskcluster scopes, but let's prepare for that day by requiring an OIDC scope to get full TC credentials.  Then apps using that scope can continue to operate in a world where we start to limit access.
Blocks: 1385363
No longer blocks: 1385363
Blocks: 1380028
Scope setup requests:

RITM0055485
RITM0055484
IAM scope requests are still pending..
Still pending.  I sent a reminder email to kang et al.
OK, this is up and running.  It appears the version of the lock we are using now displays only the scope names, not the descriptions.  It also doesn't say 'scope xyz for Taskcluster-Login', it just says 'xyz'.  So I think we need something a little more explicit, maybe `taskcluster:full-access`.  Then later we can define some more limited scopes.
We are ready now and for the forseeable future -- have the scope 'full-user-credentials'.  I will add code to login to require that scope.
I was missing a `!` in that last commit, but it's fixed and verified now.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Component: Login → Services
You need to log in before you can comment on or make changes to this bug.