Restrict access to SCIM scopes to admins only

Also client credentials flow is still allowed
indigo-iam · Jan 31, 2025 · 5f20592 · 5f20592
1 parent c0c4802
commit 5f20592
Show file tree

Hide file tree

Showing 4 changed files with 197 additions and 240 deletions.
diff --git a/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/scope/pdp/DefaultScopeFilter.java b/iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/scope/pdp/DefaultScopeFilter.java
@@ -47,7 +47,7 @@ public class DefaultScopeFilter implements ScopeFilter {
 
   public static final Logger LOG = LoggerFactory.getLogger(DefaultScopeFilter.class);
 
-  public static final Set<String> ADMIN_SCOPES = Set.of("iam:admin.read", "iam:admin.write");
+  public static final Set<String> ADMIN_SCOPES = Set.of("iam:admin.read", "iam:admin.write", "scim:read", "scim:write");
 
   private static final Set<String> EXCLUDED_SCOPES = Set.of("openid");