diff --git a/src/Ocelot/Authorization/ScopesAuthorizer.cs b/src/Ocelot/Authorization/ScopesAuthorizer.cs index a905fe86a..18632b70b 100644 --- a/src/Ocelot/Authorization/ScopesAuthorizer.cs +++ b/src/Ocelot/Authorization/ScopesAuthorizer.cs @@ -1,4 +1,4 @@ -using Ocelot.Infrastructure.Claims.Parser; +using Ocelot.Infrastructure.Claims.Parser; using Ocelot.Responses; using System.Security.Claims; @@ -28,14 +28,22 @@ public Response Authorize(ClaimsPrincipal claimsPrincipal, List ro return new ErrorResponse(values.Errors); } - var userScopes = values.Data; + IList userScopes = values.Data; - var matchesScopes = routeAllowedScopes.Intersect(userScopes); + if (userScopes.Count == 1) + { + var scope = userScopes[0]; + + if (scope.Contains(' ')) + { + userScopes = scope.Split(' ', StringSplitOptions.RemoveEmptyEntries); + } + } - if (!matchesScopes.Any()) + if (routeAllowedScopes.Except(userScopes).Any()) { return new ErrorResponse( - new ScopeNotAuthorizedError($"no one user scope: '{string.Join(',', userScopes)}' match with some allowed scope: '{string.Join(',', routeAllowedScopes)}'")); + new ScopeNotAuthorizedError($"User scopes: '{string.Join(',', userScopes)}' do not have all allowed route scopes: '{string.Join(',', routeAllowedScopes)}'")); } return new OkResponse(true); diff --git a/test/Ocelot.AcceptanceTests/AuthorizationTests.cs b/test/Ocelot.AcceptanceTests/AuthorizationTests.cs index b9e43efdc..4207dd5ca 100644 --- a/test/Ocelot.AcceptanceTests/AuthorizationTests.cs +++ b/test/Ocelot.AcceptanceTests/AuthorizationTests.cs @@ -177,7 +177,7 @@ public void should_return_response_200_using_identity_server_with_allowed_scope( AuthenticationOptions = new FileAuthenticationOptions { AuthenticationProviderKey = "Test", - AllowedScopes = new List{ "api", "api.readOnly", "openid", "offline_access" }, + AllowedScopes = new List{ "api", "api.readOnly" }, }, }, }, diff --git a/test/Ocelot.AcceptanceTests/ClaimsToDownstreamPathTests.cs b/test/Ocelot.AcceptanceTests/ClaimsToDownstreamPathTests.cs index 1c2e98167..020ca5ae7 100644 --- a/test/Ocelot.AcceptanceTests/ClaimsToDownstreamPathTests.cs +++ b/test/Ocelot.AcceptanceTests/ClaimsToDownstreamPathTests.cs @@ -68,7 +68,7 @@ public void should_return_200_and_change_downstream_path() AuthenticationProviderKey = "Test", AllowedScopes = new List { - "openid", "offline_access", "api", + "api", }, }, ChangeDownstreamPathTemplate = diff --git a/test/Ocelot.AcceptanceTests/ClaimsToHeadersForwardingTests.cs b/test/Ocelot.AcceptanceTests/ClaimsToHeadersForwardingTests.cs index 1ca691cf2..b86c8b995 100644 --- a/test/Ocelot.AcceptanceTests/ClaimsToHeadersForwardingTests.cs +++ b/test/Ocelot.AcceptanceTests/ClaimsToHeadersForwardingTests.cs @@ -76,7 +76,7 @@ public void should_return_response_200_and_foward_claim_as_header() AuthenticationProviderKey = "Test", AllowedScopes = new List { - "openid", "offline_access", "api", + "api", }, }, AddHeadersToRequest = diff --git a/test/Ocelot.AcceptanceTests/ClaimsToQueryStringForwardingTests.cs b/test/Ocelot.AcceptanceTests/ClaimsToQueryStringForwardingTests.cs index 00c757327..c929f1af8 100644 --- a/test/Ocelot.AcceptanceTests/ClaimsToQueryStringForwardingTests.cs +++ b/test/Ocelot.AcceptanceTests/ClaimsToQueryStringForwardingTests.cs @@ -74,7 +74,7 @@ public void should_return_response_200_and_foward_claim_as_query_string() AuthenticationProviderKey = "Test", AllowedScopes = new List { - "openid", "offline_access", "api", + "api", }, }, AddQueriesToRequest = @@ -140,7 +140,7 @@ public void should_return_response_200_and_foward_claim_as_query_string_and_pres AuthenticationProviderKey = "Test", AllowedScopes = new List { - "openid", "offline_access", "api", + "api", }, }, AddQueriesToRequest =