VIP Authhub: Using scope urn:iam:myscopes in grants throws exceptions for some users
search cancel

VIP Authhub: Using scope urn:iam:myscopes in grants throws exceptions for some users

book

Article ID: 382424

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

After upgrade of the authentication hub from 3.2.0 to 3.2.1, Using the scope urn:iam:myscopes for some users to obtain grants,  it throws exceptions for some users. The problem goes away if that scope is removed and use other scopes. The exception is user specific. 

Request:
https://<AH-HOST>/common/oauth2/v1/token
POST: grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&scope=urn%3Aiam%3Amyscopes+....

Response:

Response:
{"errorCode":"8000014","errorMessage":"Unknown exception"}

Environment

VIP AuthHub 3.2.1

Resolution

To address this issue, it is recommended to use “*/<group-name>” notation, basically adding */ prefix in the AuthZ policy in the group principal condition. e.g.

"rules": [        {
            "id": "d59ffc24-702c-43da-***************",
            "conditions": {"principal":             {
                "group":                 {
                    "operator": "in",
                    "value": ["Admin Users"]
                },

You can make the changes as below

"rules": [        {
            "id": "d59ffc24-702c-43da-*************",
            "conditions": {"principal":             {
                "group":                 {
                    "operator": "in",
                    "value": ["*/Admin Users"]
                },
Powered by Wolken Software