fix: Unable to log in with third-party apps without "Manage OAuth Apps" permission #32782
Conversation
🦋 Changeset detectedLatest commit: 0edac8e The changes in this PR will be included in the next version bump. This PR includes changesets to release 32 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
|
verdel
force-pushed
the
fix-oauth-flow-for-non-privileged-user
branch
from
7f9cc44 to
918fe12
Compare
…Auth Apps permission Added a new REST API method oauth-apps.info that returns a limited set of attributes (clientId, name) necessary for rendering the consent screen Signed-off-by: Vadim Aleksandrov <[email protected]>
verdel
force-pushed
the
fix-oauth-flow-for-non-privileged-user
branch
from
918fe12 to
e87d8d5
Compare
packages/rest-typings/src/v1/oauthapps/OAuthAppsInfoParamsGET.ts
Outdated
Show resolved
Hide resolved
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## develop #32782 +/- ##
===========================================
- Coverage 55.66% 48.28% -7.39%
===========================================
Files 2637 2219 -418
Lines 57399 50179 -7220
Branches 11892 10268 -1624
===========================================
- Hits 31954 24231 -7723
- Misses 22731 23843 +1112
+ Partials 2714 2105 -609
Flags with carried forward coverage won't be shown. Click here to find out more. |
verdel
force-pushed
the
fix-oauth-flow-for-non-privileged-user
branch
from
474fa7d to
ce358c0
Compare
|
@matheusbsilva137, I also fixed the type errors that were discovered after running the GitHub Workflow. |
|
Looks like this PR is not ready to merge, because of the following issues:
Please fix the issues and try again If you have any trouble, please check the PR guidelines |
matheusbsilva137
changed the title
| { authRequired: true, validateParams: isOauthAppsInfoParams }, | ||
| { | ||
| async get() { | ||
| const oauthApp = await OAuthApps.findOneAuthAppByIdOrClientId(this.queryParams); |
There was a problem hiding this comment.
Add a projection since you're returning just clientId/name
There was a problem hiding this comment.
(this will imply updating the model typings for allowing the projection to go as the current method doesn't allow it)
There was a problem hiding this comment.
I added projection to the findOneAuthAppByIdOrClientId method of the IOAuthAppsModel and OAuthAppsRaw models. I hope I changed the code everywhere it was needed and didn't forget anything.
| export interface IOAuthAppsInfo { | ||
| clientId: string; | ||
| name: string; | ||
| } |
There was a problem hiding this comment.
Personal pref: do we need this to be an interface? Can't we just export type OauthAppsInfo = Pick<IOAuthApps, 'clientId' | 'name'> ?
Also added a check for the case when the OAuthApp is not found
verdel
force-pushed
the
fix-oauth-flow-for-non-privileged-user
branch
from
18dbc0f to
c3348d7
Compare
|
@matheusbsilva137, sorry for the inconvenience, but I added a commit to fix the Prettier warning that appeared during code linting in the GitHub workflow. The tests need to be run again. |
|
Hey @verdel ! |
|
@matheusbsilva137, I'm sorry that I initially went a bit off track. In my comment on the issue, I mentioned two possible ways to solve the problem: modifying the @scuciatto's comment eventually led me to choose the second option. And I still lean towards the idea that using a separate method (which returns the minimal necessary number of OAuth App attributes) within the OAuth2 Authorization Flow, regardless of user permissions, is a more correct approach from a security perspective, even though it might be less correct from an API method semantics standpoint. In any case, if the core product development team has decided that the solution proposed in your PR is more appropriate, then I can't influence that decision. At least I was able to help in some way with the final implementation of the idea. Moreover, your solution addresses the original problem mentioned in the issue. Thank you and everyone who reviewed this PR for your time. |
Added a new REST API method oauth-apps.info that returns a limited set of attributes (
clientId,name) necessary for rendering the consent screenProposed changes (including videos or screenshots)
The issue is detailed in my comment on the #31749 .
The attributes
clientIdandnameof the OAuth application are used in the process of rendering the consent screen. The API methodoauth-apps.getis used to obtain these attributes. This method also returns theclientSecretattribute.To prevent regular users from obtaining this sensitive data, the user must have
manage-oauth-appspermissions to call the method. Therefore, regular users cannot use the third-party login process.I am adding a separate API method
oauth-apps.infothat only returns theclientIdandnameattributes needed in the process of rendering the consent screen.Issue(s)
Closes #31749
CORE-473