Fix remaining 403s: Authority envelope middleware + preferences scope
- Add UseIdentityEnvelopeAuthentication() to Authority service, fixing /console/tenants 403. Authority was the last service missing it. - Add ui.preferences.read and ui.preferences.write to OIDC scope request in config.json and PlatformServiceOptions, fixing preferences/language 403. The scopes existed in Authority but were never requested by the frontend. All services now have identity envelope middleware: Gateway, Platform, Scanner, JobEngine, Timeline, Integrations, Concelier, Authority (8/8 complete) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
@@ -1814,6 +1814,7 @@ app.UseRouting();
|
|||||||
app.UseAuthorityRateLimiterContext();
|
app.UseAuthorityRateLimiterContext();
|
||||||
app.UseRateLimiter();
|
app.UseRateLimiter();
|
||||||
app.UseStellaOpsCors();
|
app.UseStellaOpsCors();
|
||||||
|
app.UseIdentityEnvelopeAuthentication();
|
||||||
app.UseAuthentication();
|
app.UseAuthentication();
|
||||||
app.UseAuthorization();
|
app.UseAuthorization();
|
||||||
app.TryUseStellaRouter(routerEnabled);
|
app.TryUseStellaRouter(routerEnabled);
|
||||||
|
|||||||
@@ -35,6 +35,7 @@
|
|||||||
<ProjectReference Include="../../../__Libraries/StellaOps.Configuration.AuthorityPlugin/StellaOps.Configuration.AuthorityPlugin.csproj" />
|
<ProjectReference Include="../../../__Libraries/StellaOps.Configuration.AuthorityPlugin/StellaOps.Configuration.AuthorityPlugin.csproj" />
|
||||||
<ProjectReference Include="../../../__Libraries/StellaOps.DependencyInjection/StellaOps.DependencyInjection.csproj" />
|
<ProjectReference Include="../../../__Libraries/StellaOps.DependencyInjection/StellaOps.DependencyInjection.csproj" />
|
||||||
<ProjectReference Include="../../../Attestor/StellaOps.Attestation/StellaOps.Attestation.csproj" />
|
<ProjectReference Include="../../../Attestor/StellaOps.Attestation/StellaOps.Attestation.csproj" />
|
||||||
|
<ProjectReference Include="../../../Router/__Libraries/StellaOps.Router.AspNet/StellaOps.Router.AspNet.csproj" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<EmbeddedResource Include="Pages\*.html" />
|
<EmbeddedResource Include="Pages\*.html" />
|
||||||
|
|||||||
@@ -177,7 +177,7 @@ public sealed class PlatformEnvironmentSettingsOptions
|
|||||||
public string RedirectUri { get; set; } = string.Empty;
|
public string RedirectUri { get; set; } = string.Empty;
|
||||||
public string? SilentRefreshRedirectUri { get; set; }
|
public string? SilentRefreshRedirectUri { get; set; }
|
||||||
public string? PostLogoutRedirectUri { get; set; }
|
public string? PostLogoutRedirectUri { get; set; }
|
||||||
public string Scope { get; set; } = "openid profile email ui.read ui.admin authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read vuln:view vuln:investigate vuln:operate vuln:audit signer:read signer:sign signer:rotate signer:admin trust:read trust:write trust:admin";
|
public string Scope { get; set; } = "openid profile email ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read scheduler:read vuln:view vuln:investigate vuln:operate vuln:audit signer:read signer:sign signer:rotate signer:admin trust:read trust:write trust:admin";
|
||||||
public string? Audience { get; set; }
|
public string? Audience { get; set; }
|
||||||
public List<string> DpopAlgorithms { get; set; } = new() { "ES256" };
|
public List<string> DpopAlgorithms { get; set; } = new() { "ES256" };
|
||||||
public int RefreshLeewaySeconds { get; set; } = 60;
|
public int RefreshLeewaySeconds { get; set; } = 60;
|
||||||
|
|||||||
@@ -8,7 +8,7 @@
|
|||||||
"redirectUri": "/auth/callback",
|
"redirectUri": "/auth/callback",
|
||||||
"silentRefreshRedirectUri": "/auth/silent-refresh",
|
"silentRefreshRedirectUri": "/auth/silent-refresh",
|
||||||
"postLogoutRedirectUri": "/",
|
"postLogoutRedirectUri": "/",
|
||||||
"scope": "openid profile email offline_access ui.read ui.admin authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read release:write release:publish scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit registry.admin signer:read signer:sign signer:rotate signer:admin trust:read trust:write trust:admin",
|
"scope": "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:users.read authority:roles.read authority:clients.read authority:tokens.read authority:branding.read authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve orch:read analytics.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read release:read release:write release:publish scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit registry.admin signer:read signer:sign signer:rotate signer:admin trust:read trust:write trust:admin",
|
||||||
"audience": "/scanner",
|
"audience": "/scanner",
|
||||||
"dpopAlgorithms": ["ES256"],
|
"dpopAlgorithms": ["ES256"],
|
||||||
"refreshLeewaySeconds": 60
|
"refreshLeewaySeconds": 60
|
||||||
|
|||||||
@@ -7,7 +7,7 @@
|
|||||||
"logoutEndpoint": "https://authority.example.dev/connect/logout",
|
"logoutEndpoint": "https://authority.example.dev/connect/logout",
|
||||||
"redirectUri": "http://localhost:4400/auth/callback",
|
"redirectUri": "http://localhost:4400/auth/callback",
|
||||||
"postLogoutRedirectUri": "http://localhost:4400/",
|
"postLogoutRedirectUri": "http://localhost:4400/",
|
||||||
"scope": "openid profile email ui.read authority:tenants.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read orch:read release:read release:write release:publish vuln:view vuln:investigate vuln:operate vuln:audit registry.admin signer:read signer:sign signer:rotate signer:admin trust:read trust:write trust:admin",
|
"scope": "openid profile email ui.read ui.preferences.read ui.preferences.write authority:tenants.read advisory:read vex:read exceptions:read exceptions:approve aoc:verify findings:read orch:read release:read release:write release:publish vuln:view vuln:investigate vuln:operate vuln:audit registry.admin signer:read signer:sign signer:rotate signer:admin trust:read trust:write trust:admin",
|
||||||
"audience": "https://scanner.example.dev",
|
"audience": "https://scanner.example.dev",
|
||||||
"dpopAlgorithms": ["ES256"],
|
"dpopAlgorithms": ["ES256"],
|
||||||
"refreshLeewaySeconds": 60
|
"refreshLeewaySeconds": 60
|
||||||
|
|||||||
Reference in New Issue
Block a user