Scope wildcards In UAA we now support client scopes to have a wildcard. Imagine this scenario
Client Scopes
- cloud_controller.*
User Joe
- cloud_controller.read
- cloud_controller.write
User Mary
- cloud_controller.read
- cloud_controller.write
- cloud_controller.admin
When respective user requests a token, Joe will receive cloud_controller.read/write and Mary will receive cloud_controller.read/write/admin scopes.
To receive these scopes, the token/authorize request
- may not contain any scopes to receive the default intersection of scopes between client and user
- can include a wild card scope, cloud_controller.*, but it has to match the scope of the client
- can include a specific scope, cloud_controller.read, that matches a user assigned scope
The wildcard matching is very simple. An asterisks, *, character represents a wild card. The wild card will never reach beyond a dot, ., that is considered a scope delimiting character.
For matching examples, take a look at the following tests
- Wild card matching by the UaaAuthorizationRequestManager
- Wildcard to Regular Expression translation
- Token mock tests
Limitations
User scopes may not contain wild cards. In a user scope, a wildcard will not be treated as a specific character.
Stories Completed
Features