Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scoped Session Tokens #9265

Open
mstniy opened this issue Jul 31, 2024 · 4 comments
Open

Scoped Session Tokens #9265

mstniy opened this issue Jul 31, 2024 · 4 comments
Labels
type:feature New feature or improvement of existing feature

Comments

@mstniy
Copy link
Contributor

mstniy commented Jul 31, 2024

New Feature / Enhancement Checklist

Current Limitation

Currently session tokens are not scoped. This is limiting for my team as we want to distribute Parse session tokens to our API partners, but restrict their access scope beyond that the corresponding user is capable of. This is a widely used practice for identity providers but unfortunately, to the best of our knowledge, is not supported by Parse.

Feature / Enhancement Description

We propose a relation field on the _Role collection be added to the _Session collection. For backwards compatibility, if this field does not exist in the session object, the corresponding session token has the same set of roles as the user itself. If it does exist, it describes the set of Parse roles the corresponding session token can have direct access to, a subset of the Parse roles the corresponding user has direct access to. Note that indirect roles are not affected.

ACL and CLP checks need to respect the scopes. Cloud functions/triggers could be given access to this restricted set of roles as well.

We are not planning to create scoped session tokens with Parse. Such session tokens will be created by an external OAuth adapter, but we want Parse to respect them.

Example Use Case

Providing an API partner with only read access, or access only to a specific collection/subset of objects.

Alternatives / Workarounds

  • Always handing out regular session tokens (problematic from a security perspective, as then the API partner has more privileges than they actually need)
  • Creating "phantom users" associated with the main user but limited in terms of the Parse roles they have access to, and handing out access token for these (difficult to audit the corresponding logs, business logic (eg. triggers) needs to be phantom-user-aware for certain uses cases).

3rd Party References

GitHub supports access scopes: https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes

Copy link

parse-github-assistant bot commented Jul 31, 2024

Thanks for opening this issue!

  • 🎉 We are excited about your ideas for improvement!

@mtrezza mtrezza added the type:feature New feature or improvement of existing feature label Aug 1, 2024
@mtrezza
Copy link
Member

mtrezza commented Aug 1, 2024

Is this something that should be built into Parse Server, or something that could / should be custom-developed, because the specifics can vary depending on use case?

We already have CLP with user scope, which allows to customize access scope on a per-user basis. So any session token associated with that user should be scoped as well. If the current scoping is not enough, what exactly are you trying to scope?

@mstniy
Copy link
Contributor Author

mstniy commented Aug 1, 2024

The advantage of building this into Parse Server is twofold:

  1. Our API consumers just interact with Parse, as opposed to a custom endpoint. They benefit from the SDKs, documentation and can use the REST and graphql APIs to their liking
  2. We don't need to develop and maintain security-critical authorization logic as part of our code.

In this use case, per-user access is not enough, as the request is about scoping session tokens themselves. This means different session tokens for the same user should be able to have different levels of privilege.

@mtrezza
Copy link
Member

mtrezza commented Aug 1, 2024

This means different session tokens for the same user should be able to have different levels of privilege.

Got it. It doesn't sound like a simple thing to complement, and affects multiple repos. Let's keep this up for discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type:feature New feature or improvement of existing feature
Projects
None yet
Development

No branches or pull requests

2 participants