Add support for dynamic scopes

[stanhu]

This commit adds support for dynamic scopes, which are disabled by default.

As discussed in keycloak/keycloak#8486, a dynamic scope notation is in the form:

<static-part>:<variable-part>

The objective of this feature is to have a static part of the scope that represents an entity and a variable part that identifies the entity.

For example, a scope of user:1 could be interpreted as allowing access to perform actions of user 1. A wildcard (*) is allowed in the variable part, such as user:*. This scope allows the request to perform actions as any users.

Dynamic scopes can be enabled via:

Doorkeeper.configure do
  enable_dynamic_scopes
end

A custom delimiter can also be configured:

Doorkeeper.configure do
  enable_dynamic_scopes(delimiter: '-')
end

Relates to #431

[stanhu]

@nbulaj What do you think of this pull request? Also I'm not sure how best to fix the Code Climate errors. I tried to disable the method-count check for just this file, but it seems that Code Climate can't do that. https://docs.codeclimate.com/docs/excluding-files-and-folders says:

Exclusions can only be made at the global level (excluding code from all analysis) or at the plugin-level (excluding code only from specific third-party plugins). Currently, exclusions cannot be made for individual maintainability checks.

[grzesiek]

+1

[samg]

We're long time users of Doorkeeper and having the ability to use dynamic scopes in Doorkeeper would be very helpful to the projects we have planned. 😄 Are there any plans to merge this and include it in the gem?

[nbulaj]

hey @stanhu 👋 Sounds interesting, but I wasn't able to find some RFC. So it looks like a custom addition to the spec. Do we have any docs to reference? Except keycloack 😄

[stanhu]

@nbulaj I don't think there is a spec governing how scopes are handled; I think that is an application-specific decision. I will keep looking.

[stanhu]

As https://datatracker.ietf.org/doc/html/rfc6749#page-23 mentions:

The strings are defined by the authorization server.

RabbitMQ, for example, supports wildcard OAuth2 scopes: https://www.rabbitmq.com/docs/oauth2#scope-translation

[nbulaj]

Anyway I like it 👍

[nbulaj]

I see tests failing but seems to be related to something else 🤔 Looks like something change in Rails

[stanhu]

The tests are failing due to https://github.com/doorkeeper-gem/doorkeeper//commit/b4bd6803147934d41d0d19642ef8e97d48984090. Rails is showing the exception because ActionDispatch::Request.show_exception? is returning true since older Rails versions expect that false is used: https://github.com/rails/rails/blob/v7.0.8.4/actionpack/lib/action_dispatch/http/request.rb#L186

rails/rails#45867 deprecated false in favor of :all, :none, and :rescuable for Rails 7.1.

[stanhu]

#1742 fixes the broken Rails tests.

[nbulaj]

Can we rebase now @stanhu ? Above one is merged now 🙇

[stanhu]

@nbulaj Done, thanks!

[stanhu]

@nbulaj Friendly ping: could you take a look at this pull request?

[nbulaj]

Just checked, awesome work, LGTM 👍

[nbulaj]

Can we please add a changelog entry? 🙏

[stanhu]

@nbulaj Done!

[stanhu]

@nbulaj Thank you for the merge! Would you mind tagging a new release?

[nbulaj]

Will review rest of the opened MRs tomorrow and yes, will prepare a release. Maybe more can be included as well

[ThisIsMissEm]

I wonder if we could support nested scopes in a similar way? e.g., write:account is covered by the write:account and write scopes — we currently have a sizeable amount of code in mastodon to support this.