Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Authorization: check application ID

See original GitHub issue

The sandbox token format includes a applicationID field, but the ledger API does not use it to for validation - it is currently only read by the JSON ledger API.

We should add the application ID to Claims, then use it in the ledger API service auth validation if present.

Issue Analytics

State:
Created 4 years ago
Comments:10 (7 by maintainers)

Top GitHub Comments

1reaction

stefanobaghino-dacommented, Jun 15, 2020

My question was not regarding the missing applicationId from a request but the behavior of tokens with an applicationId against a service that does not have such a field. As I mentioned before, I will simply ignore it for the time being. If there are different requirements we can address them separately.

0reactions

rautenrieth-dacommented, Jun 15, 2020

@stefanobaghino-da IMO the ledger should behave as follows:

Field in token | Field in request | Action
---------------+------------------+---------------------------
 Present       | Present          | Authorize IFF values match
 Missing       | Present          | Authorize
 Present       | Missing          | Authorize
 Missing       | Missing          | Authorize
---------------|------------------+---------------------------

i.e.,