Closed
Bug 1388543
Opened 7 years ago
Closed 7 years ago
Be ready to use OIDC scopes to control what Taskcluster scopes are issued
Categories
(Taskcluster :: Services, enhancement)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dustin, Assigned: dustin)
References
Details
I would like to have the option, someday, of issuing only a limited set of scopes. OIDC has a way of asking for specific kinds of access to an API (also called "scopes" but completely different). I'm not sure how we will map OIDC scopes to Taskcluster scopes, but let's prepare for that day by requiring an OIDC scope to get full TC credentials. Then apps using that scope can continue to operate in a world where we start to limit access.
Assignee | ||
Comment 1•7 years ago
|
||
Scope setup requests: RITM0055485 RITM0055484
Assignee | ||
Comment 2•7 years ago
|
||
IAM scope requests are still pending..
Assignee | ||
Comment 3•7 years ago
|
||
Still pending. I sent a reminder email to kang et al.
Assignee | ||
Comment 4•7 years ago
|
||
OK, this is up and running. It appears the version of the lock we are using now displays only the scope names, not the descriptions. It also doesn't say 'scope xyz for Taskcluster-Login', it just says 'xyz'. So I think we need something a little more explicit, maybe `taskcluster:full-access`. Then later we can define some more limited scopes.
Assignee | ||
Comment 5•7 years ago
|
||
We are ready now and for the forseeable future -- have the scope 'full-user-credentials'. I will add code to login to require that scope.
Assignee | ||
Comment 6•7 years ago
|
||
https://github.com/taskcluster/taskcluster-login/pull/55
Comment 7•7 years ago
|
||
Commits pushed to master at https://github.com/taskcluster/taskcluster-login https://github.com/taskcluster/taskcluster-login/commit/c08cba1199d591d3443de59d399ff98603d48c9d Bug 1388543 - reject requests without scope full-user-credentials https://github.com/taskcluster/taskcluster-login/commit/87900b4d877029971927a30661024d63791c9fb5 Merge pull request #55 from djmitche/bug1388543 Bug 1388543 - reject requests without scope full-user-credentials
Assignee | ||
Comment 8•7 years ago
|
||
I was missing a `!` in that last commit, but it's fixed and verified now.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Updated•5 years ago
|
Component: Login → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•