asf-tooling opened a new issue, #1052: URL: https://github.com/apache/tooling-trusted-releases/issues/1052
**ASVS Level(s):** L2-only **Description:** ### Summary The OAuth authorization request does not include a `scope` parameter. ATR receives whatever data `oauth.apache.org` returns by default without requesting only the minimum claims needed (e.g., `uid`, `dn`, `fullname`). While scope assignment is the Authorization Server's responsibility, the OAuth client should request only the scopes it needs per the principle of least privilege (OAuth 2.0 Security Best Current Practice ยง2.4). If `oauth.apache.org` returns more data than ATR needs, it increases the surface area of session data that could be exposed in a session compromise. ### Details The issue exists in `src/asfquart/generics.py` line 11 (OAUTH_URL_INIT definition) and lines 36-50 (oauth_endpoint implementation). The authorization URL does not include a scope parameter, relying entirely on the Authorization Server's default scope assignment. ### Recommended Remediation Add explicit scope parameter to the OAuth authorization URL: ```python OAUTH_URL_INIT = 'https://oauth.apache.org/auth-oidc?state=%s&redirect_uri=%s&scope=openid+uid+dn+fullname' ``` Coordinate with `oauth.apache.org` maintainers to verify: 1. Whether the service supports granular scope parameters 2. What the current client registration assigns 3. Whether client-side scope requests are honored If not supported, document as accepted risk and ensure AS-side client registration is minimal. **Alternative if scope parameters are not supported:** ```markdown # In SECURITY.md or architecture documentation ## OAuth Scope Limitation **Accepted Risk:** oauth.apache.org does not support client-side scope requests. **Mitigation:** - Client registration at oauth.apache.org configured for minimal scope - Session data filtered to store only required fields (uid, dn, fullname) - Periodic review of oauth.apache.org client configuration ``` ### Acceptance Criteria - [ ] Scope parameter added to OAuth authorization URL - [ ] Coordination completed with oauth.apache.org maintainers - [ ] Verification that scope requests are honored - [ ] OR: Accepted risk documented if scope parameters not supported - [ ] Session data storage verified to include only necessary fields - [ ] Unit tests verify only expected fields are stored in session - [ ] Documentation updated with scope requirements ### References - Source reports: L2:10.4.11.md - Related findings: FINDING-280, FINDING-281 - ASVS sections: 10.4.11 ### Priority Medium --- --- **Triage notes:** low, also let asfquart know about this -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
