feat: Allow trusted apps to perform cookie login. #612
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Kelketek
force-pushed
the
fox/port-oauth-trust-fix
branch
from
d930b29
to
b058c45
Compare
Kelketek
force-pushed
the
fox/port-oauth-trust-fix
branch
from
b058c45
to
d9b5f81
Compare
mavidser
approved these changes
Jan 11, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This pull request allows Oauth applications with the 'skip_authorization' flag to use the cookie login view. This view is used to grant a session cookie as though the user had logged in directly with their username and password. This functionality already works with 'Resource Owner Password Based' grants.
Previous discussion as to why this view was only permitted for Resource Owner Password Based grants pointed toward the need to support third party applications but not allow them to leapfrog privileges.
However, for applications which have the 'skip authorization' flag set, no restrictions on scope are enforced, as the application is permitted to grant itself all scopes without requiring the user's explicit authorization. This kind of power already nearly mirrors cookie login, however some endpoints on the platform are unable to support non-cookie functionality, such as the loading of units and XBlocks.
Supporting information
Slack Thread on the current limitation.
Testing instructions
The easiest way to test is to run the software tests via the devstack using:
But to test it more practically, you would need to:
/oauth2/login/on the LMSDeadline
"None" if there's no rush, or provide a specific date or event (and reason) if there is one.
Other information
This change has some implication for security. While it is of the author's opinion that any application which has the 'skip_authorization' flag set should be considered a trusted application anyway, since it can grant all scopes (and thus has the full power of the API available to the user) any application with this flag may as well be able to log in via cookie.
However that does not necessarily mean that deployments are set up with this assumption. It is conceivable that there could be misconfigured applications that would have the ability to login that otherwise wouldn't, and which would have additional powers unexpected. It seems unlikely that these powers would be especially material, since full privileged API access is already so vast.