Closed Bug 1457126 Opened 7 years ago Closed 7 years ago

Authorization failures should state which clientId lacks scopes

Categories

(Taskcluster :: Services, enhancement)

Product:
Taskcluster
Component:
Services
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: pmoore, Unassigned, Mentored)

Details

Currently we get messages like: "You do not have sufficient scopes..." Let's change these messages to say: "Client ID xxxx (issuer yyyy) does not have sufficient scopes..." If we do this, when a task misses scopes, the error should say: "Client ID task-client/<taskId>/<runId>/on/<workerGroup>/<workerId>/until/<expiration> does not have sufficient scopes..." If a user missed scopes it would say e.g.: "Client ID mozilla-auth0/ad|Mozilla-LDAP|pmoore does not have sufficient scopes..." This would help clarify who "you" refers to.
Mentor: dustin
Hi Dustin. I am taking this up. Could you point to me the concerned repository, I mean other than taskcluster-auth if there is? Thanks!
Awesome! The error message in question is defined at https://github.com/taskcluster/taskcluster-lib-api/blob/master/src/api.js#L542 so that's the place to start looking. It might be really easy to fix this! Or it might be a little bit tricky to figure out what the clientId is. Let's not worry about the issuer to start with -- I believe that information is even harder to come by, and it will almost always be taskcluster-login or taskcluster-queue.
Assignee: nobody → kritisingh1.ks
Hi Kriti, are you still working on it :)?
Flags: needinfo?(kritisingh1.ks)
Hi Hassan, I regret to inform that my system has got some serious hardware issues and it is taking time to repair, probably a week more from now. So I wont be able to do anything about this till then. If this issue needs immediate attention, I am really sorry and would request you to go ahead and unassign me from this, else I would be happy to do this once the problem is fixed. Thanks for the patience and sorry for inconvenience.
Flags: needinfo?(kritisingh1.ks)
QA Contact: dustin
We'll unassign, but if you want to come back to this bug later just let us know..
Assignee: kritisingh1.ks → nobody
Hi Dustin. I want to come back at this. I see though the code of the taskcluster-lib-api has changed a lot and the line you referred to in the above comment doesn't even exists now. So, is this issue resolved now and if not, is there any other repository I need to look into? Thanks.
Flags: needinfo?(dustin)
Welcome back! Here's a more permanent link: https://github.com/taskcluster/taskcluster-lib-api/blob/4ee4aaa35c1fa34aaff78e9f17f63cb726d020d5/src/middleware/auth.js#L294 I think we can safely ignore the issuer -- it doesn't provide very useful information. The clientId is available as `result.clientId`. So this should be a pretty small patch -- but please add a test (or modify an existing test) too :)
Flags: needinfo?(dustin)
I made this PR a few days ago. Please have a look. https://github.com/taskcluster/taskcluster-lib-api/pull/113
Looks good! I released this as 12.5.1. What would you like to hack on next?
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Hi Dustin. I would like to switch to any good-next-bug. Thanks!
Sounds good, and you know how to find them now! Note that Taskcluster is not running a project this round, so while we would love to continue to work with you, it might make sense to work with some other teams at Mozilla that you can find through Codetribute if you want to make connections with potential mentors.
Component: Authentication → Services
You need to log in before you can comment on or make changes to this bug.