stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Fix remaining 403s: Authority envelope middleware + preferences scope

Browse Source 
- Add UseIdentityEnvelopeAuthentication() to Authority service, fixing
  /console/tenants 403. Authority was the last service missing it.
- Add ui.preferences.read and ui.preferences.write to OIDC scope request
  in config.json and PlatformServiceOptions, fixing preferences/language 403.
  The scopes existed in Authority but were never requested by the frontend.

All services now have identity envelope middleware:
  Gateway, Platform, Scanner, JobEngine, Timeline, Integrations,
  Concelier, Authority (8/8 complete)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-03-17 08:03:35 +02:00
parent 6d91cf36b7
commit 4b7d3587ca
5 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/Platform/StellaOps.Platform.WebService/Options/PlatformServiceOptions.cs
View File

@@ -177,7 +177,7 @@ public sealed class PlatformEnvironmentSettingsOptions
public string RedirectUri { get; set; } = string.Empty;
public string? SilentRefreshRedirectUri { get; set; }
public string? PostLogoutRedirectUri { get; set; }
public string Scope { get; set; } = "openid profile email ui.read ui.admin authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read vuln:view vuln:investigate vuln:operate vuln:audit signer:read signer:sign signer:rotate signer:admin trust:read trust:write trust:admin";
public string Scope { get; set; } = "openid profile email ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read vuln:view vuln:investigate vuln:operate vuln:audit signer:read signer:sign signer:rotate signer:admin trust:read trust:write trust:admin";
public string? Audience { get; set; }
public List<string> DpopAlgorithms { get; set; } = new() { "ES256" };
public int RefreshLeewaySeconds { get; set; } = 60;