Allowed scopes checking added to AuthorisationMiddleware.

Acceptance tests added.

src/Ocelot/Authorisation/ClaimsAuthoriser.cs

@@ -7,7 +7,7 @@ namespace Ocelot.Authorisation
 {
     using Infrastructure.Claims.Parser;
 
-    public class ClaimsAuthoriser : IAuthoriser
+    public class ClaimsAuthoriser : IClaimsAuthoriser
     {
         private readonly IClaimsParser _claimsParser;
 

src/Ocelot/Authorisation/IClaimsAuthoriser.cs

@@ -5,9 +5,8 @@ namespace Ocelot.Authorisation
 {
     using System.Collections.Generic;
 
-    public interface IAuthoriser
+    public interface IClaimsAuthoriser
     {
-        Response<bool> Authorise(ClaimsPrincipal claimsPrincipal,
-            Dictionary<string, string> routeClaimsRequirement);
+        Response<bool> Authorise(ClaimsPrincipal claimsPrincipal, Dictionary<string, string> routeClaimsRequirement);
     }
 }

src/Ocelot/Authorisation/IScopesAuthoriser.cs

@@ -0,0 +1,12 @@
+using System.Security.Claims;
+using Ocelot.Responses;
+
+namespace Ocelot.Authorisation
+{
+    using System.Collections.Generic;
+
+    public interface IScopesAuthoriser
+    {
+        Response<bool> Authorise(ClaimsPrincipal claimsPrincipal, List<string> routeAllowedScopes);
+    }
+}

src/Ocelot/Authorisation/Middleware/AuthorisationMiddleware.cs

@@ -1,6 +1,7 @@
 using Ocelot.Infrastructure.RequestData;
 using Ocelot.Logging;
 using Ocelot.Responses;
+using Ocelot.Configuration;
 
 namespace Ocelot.Authorisation.Middleware
 {
@@ -13,17 +14,20 @@ namespace Ocelot.Authorisation.Middleware
     public class AuthorisationMiddleware : OcelotMiddleware
     {
         private readonly RequestDelegate _next;
-        private readonly IAuthoriser _authoriser;
+        private readonly IClaimsAuthoriser _claimsAuthoriser;
+        private readonly IScopesAuthoriser _scopesAuthoriser;
         private readonly IOcelotLogger _logger;
 
         public AuthorisationMiddleware(RequestDelegate next,
             IRequestScopedDataRepository requestScopedDataRepository,
-            IAuthoriser authoriser,
+            IClaimsAuthoriser claimsAuthoriser,
+            IScopesAuthoriser scopesAuthoriser,
             IOcelotLoggerFactory loggerFactory)
             : base(requestScopedDataRepository)
         {
             _next = next;
-            _authoriser = authoriser;
+            _claimsAuthoriser = claimsAuthoriser;
+            _scopesAuthoriser = scopesAuthoriser;
             _logger = loggerFactory.CreateLogger<AuthorisationMiddleware>();
         }
 
@@ -31,11 +35,41 @@ namespace Ocelot.Authorisation.Middleware
         {
             _logger.LogDebug("started authorisation");
 
-            if (DownstreamRoute.ReRoute.IsAuthorised)
+            if (IsAuthenticatedRoute(DownstreamRoute.ReRoute))
+            {
+                _logger.LogDebug("route is authenticated scopes must be checked");
+
+                var authorised = _scopesAuthoriser.Authorise(context.User, DownstreamRoute.ReRoute.AuthenticationOptions.AllowedScopes);
+
+                if (authorised.IsError)
+                {
+                    _logger.LogDebug("error authorising user scopes");
+
+                    SetPipelineError(authorised.Errors);
+                    return;
+                }
+
+                if (IsAuthorised(authorised))
+                {
+                    _logger.LogDebug("user scopes is authorised calling next authorisation checks");
+                }
+                else
+                {
+                    _logger.LogDebug("user scopes is not authorised setting pipeline error");
+
+                    SetPipelineError(new List<Error>
+                    {
+                        new UnauthorisedError(
+                            $"{context.User.Identity.Name} unable to access {DownstreamRoute.ReRoute.UpstreamPathTemplate.Value}")
+                    });
+                }
+            }
+
+            if (IsAuthorisedRoute(DownstreamRoute.ReRoute))
             {
                 _logger.LogDebug("route is authorised");
 
-                var authorised = _authoriser.Authorise(context.User, DownstreamRoute.ReRoute.RouteClaimsRequirement);
+                var authorised = _claimsAuthoriser.Authorise(context.User, DownstreamRoute.ReRoute.RouteClaimsRequirement);
 
                 if (authorised.IsError)
                 {
@@ -78,5 +112,15 @@ namespace Ocelot.Authorisation.Middleware
         {
             return authorised.Data;
         }
+
+        private static bool IsAuthenticatedRoute(ReRoute reRoute)
+        {
+            return reRoute.IsAuthenticated;
+        }
+
+        private static bool IsAuthorisedRoute(ReRoute reRoute)
+        {
+            return reRoute.IsAuthorised;
+        }
     }
 }

src/Ocelot/Authorisation/ScopeNotAuthorisedError.cs

@@ -0,0 +1,12 @@
+using Ocelot.Errors;
+
+namespace Ocelot.Authorisation
+{
+    public class ScopeNotAuthorisedError : Error
+    {
+        public ScopeNotAuthorisedError(string message) 
+            : base(message, OcelotErrorCode.ScopeNotAuthorisedError)
+        {
+        }
+    }
+}

src/Ocelot/Authorisation/ScopesAuthoriser.cs

@@ -0,0 +1,51 @@
+using IdentityModel;
+using Ocelot.Errors;
+using Ocelot.Responses;
+using System.Collections.Generic;
+using System.Security.Claims;
+using System.Linq;
+
+namespace Ocelot.Authorisation
+{
+    using Infrastructure.Claims.Parser;
+
+    public class ScopesAuthoriser : IScopesAuthoriser
+    {
+        private readonly IClaimsParser _claimsParser;
+
+        public ScopesAuthoriser(IClaimsParser claimsParser)
+        {
+            _claimsParser = claimsParser;
+        }
+
+        public Response<bool> Authorise(ClaimsPrincipal claimsPrincipal, List<string> routeAllowedScopes)
+        {
+            if (routeAllowedScopes == null || routeAllowedScopes.Count == 0)
+            {
+                return new OkResponse<bool>(true);
+            }
+
+            var values = _claimsParser.GetValuesByClaimType(claimsPrincipal.Claims, JwtClaimTypes.Scope);
+
+            if (values.IsError)
+            {
+                return new ErrorResponse<bool>(values.Errors);
+            }
+
+            var userScopes = values.Data;
+
+            List<string> matchesScopes = routeAllowedScopes.Intersect(userScopes).ToList();
+
+            if (matchesScopes == null || matchesScopes.Count == 0)
+            {
+                return new ErrorResponse<bool>(new List<Error>
+                {
+                     new ScopeNotAuthorisedError(
+                         $"no one user scope: '{string.Join(",", userScopes)}' match with some allowed scope: '{string.Join(",", routeAllowedScopes)}'")
+                });
+            }
+
+            return new OkResponse<bool>(true);
+        }
+    }
+}

src/Ocelot/DependencyInjection/ServiceCollectionExtensions.cs

@@ -144,7 +144,8 @@ namespace Ocelot.DependencyInjection
             services.TryAddSingleton<IRemoveOutputHeaders, RemoveOutputHeaders>();
             services.TryAddSingleton<IOcelotConfigurationProvider, OcelotConfigurationProvider>();
             services.TryAddSingleton<IClaimToThingConfigurationParser, ClaimToThingConfigurationParser>();
-            services.TryAddSingleton<IAuthoriser, ClaimsAuthoriser>();
+            services.TryAddSingleton<IClaimsAuthoriser, ClaimsAuthoriser>();
+            services.TryAddSingleton<IScopesAuthoriser, ScopesAuthoriser>();
             services.TryAddSingleton<IAddClaimsToRequest, AddClaimsToRequest>();
             services.TryAddSingleton<IAddHeadersToRequest, AddHeadersToRequest>();
             services.TryAddSingleton<IAddQueriesToRequest, AddQueriesToRequest>();

src/Ocelot/Errors/OcelotErrorCode.cs

@@ -17,6 +17,7 @@
         InstructionNotForClaimsError,
         UnauthorizedError,
         ClaimValueNotAuthorisedError,
+        ScopeNotAuthorisedError,
         UserDoesNotHaveClaimError,
         DownstreamPathTemplateContainsSchemeError,
         DownstreamPathNullOrEmptyError,

src/Ocelot/Infrastructure/Claims/Parser/ClaimsParser.cs

@@ -1,10 +1,10 @@
 namespace Ocelot.Infrastructure.Claims.Parser
 {
+    using Errors;
+    using Responses;
     using System.Collections.Generic;
     using System.Linq;
     using System.Security.Claims;
-    using Errors;
-    using Responses;
 
     public class ClaimsParser : IClaimsParser
     {
@@ -37,6 +37,17 @@
             return new OkResponse<string>(value);
         }
 
+
+        public Response<List<string>> GetValuesByClaimType(IEnumerable<Claim> claims, string claimType)
+        {
+            List<string> values = new List<string>();
+
+            values.AddRange(claims.Where(x => x.Type == claimType).Select(x => x.Value).ToList());
+
+            return new OkResponse<List<string>>(values);
+        }
+
+
         private Response<string> GetValue(IEnumerable<Claim> claims, string key)
         {
             var claim = claims.FirstOrDefault(c => c.Type == key);

src/Ocelot/Infrastructure/Claims/Parser/IClaimsParser.cs

@@ -7,5 +7,6 @@
     public interface IClaimsParser
     {
         Response<string> GetValue(IEnumerable<Claim> claims, string key, string delimiter, int index);
+        Response<List<string>> GetValuesByClaimType(IEnumerable<Claim> claims, string claimType);
     }
 }

src/Ocelot/Responder/ErrorsToHttpStatusCodeMapper.cs

@@ -15,6 +15,7 @@ namespace Ocelot.Responder
 
             if (errors.Any(e => e.Code == OcelotErrorCode.UnauthorizedError 
                 || e.Code == OcelotErrorCode.ClaimValueNotAuthorisedError
+                || e.Code == OcelotErrorCode.ScopeNotAuthorisedError
                 || e.Code == OcelotErrorCode.UserDoesNotHaveClaimError
                 || e.Code == OcelotErrorCode.CannotFindClaimError))
             {

test/Ocelot.AcceptanceTests/AuthenticationTests.cs

@@ -189,45 +189,6 @@ namespace Ocelot.AcceptanceTests
                 .BDDfy();
         }
 
-        [Fact]
-        public void should_return_response_403_using_identity_server_with_scope_not_allowed()
-        {
-            var configuration = new FileConfiguration
-            {
-                ReRoutes = new List<FileReRoute>
-                    {
-                        new FileReRoute
-                        {
-                            DownstreamPathTemplate = _downstreamServicePath,
-                            DownstreamPort = _downstreamServicePort,
-                            DownstreamHost = _downstreamServiceHost,
-                            DownstreamScheme = _downstreamServiceScheme,
-                            UpstreamPathTemplate = "/",
-                            UpstreamHttpMethod = new List<string> { "Get" },
-                            AuthenticationOptions = new FileAuthenticationOptions
-                            {
-                                AllowedScopes =  new List<string>{ "api", "openid", "offline_access" },
-                                Provider = "IdentityServer",
-                                ProviderRootUrl = _identityServerRootUrl,
-                                RequireHttps = false,
-                                ApiName = "api",
-                                ApiSecret = "secret"
-                            }
-                        }
-                    }
-            };
-
-            this.Given(x => x.GivenThereIsAnIdentityServerOn(_identityServerRootUrl, "api", "api2", AccessTokenType.Jwt))
-                .And(x => x.GivenThereIsAServiceRunningOn(_downstreamServiceUrl, 200, "Hello from Laura"))
-                .And(x => _steps.GivenIHaveATokenForApiReadOnlyScope(_identityServerRootUrl))
-                .And(x => _steps.GivenThereIsAConfiguration(configuration))
-                .And(x => _steps.GivenOcelotIsRunning())
-                .And(x => _steps.GivenIHaveAddedATokenToMyRequest())
-                .When(x => _steps.WhenIGetUrlOnTheApiGateway("/"))
-                .Then(x => _steps.ThenTheStatusCodeShouldBe(HttpStatusCode.Forbidden))
-                .BDDfy();
-        }
-
         [Fact]
         public void should_return_201_using_identity_server_access_token()
         {

test/Ocelot.AcceptanceTests/AuthorisationTests.cs

@@ -140,6 +140,84 @@ namespace Ocelot.AcceptanceTests
                 .BDDfy();
         }
 
+        [Fact]
+        public void should_return_response_200_using_identity_server_with_allowed_scope()
+        {
+            var configuration = new FileConfiguration
+            {
+                ReRoutes = new List<FileReRoute>
+                    {
+                        new FileReRoute
+                        {
+                            DownstreamPathTemplate = "/",
+                            DownstreamPort = 51876,
+                            DownstreamHost = "localhost",
+                            DownstreamScheme = "http",
+                            UpstreamPathTemplate = "/",
+                            UpstreamHttpMethod = new List<string> { "Get" },
+                            AuthenticationOptions = new FileAuthenticationOptions
+                            {
+                                AllowedScopes =  new List<string>{ "api", "api.readOnly", "openid", "offline_access" },
+                                Provider = "IdentityServer",
+                                ProviderRootUrl = "http://localhost:51888",
+                                RequireHttps = false,
+                                ApiName = "api",
+                                ApiSecret = "secret"
+                            }
+                        }
+                    }
+            };
+
+            this.Given(x => x.GivenThereIsAnIdentityServerOn("http://localhost:51888", "api", AccessTokenType.Jwt))
+                .And(x => x.GivenThereIsAServiceRunningOn("http://localhost:51876", 200, "Hello from Laura"))
+                .And(x => _steps.GivenIHaveATokenForApiReadOnlyScope("http://localhost:51888"))
+                .And(x => _steps.GivenThereIsAConfiguration(configuration))
+                .And(x => _steps.GivenOcelotIsRunning())
+                .And(x => _steps.GivenIHaveAddedATokenToMyRequest())
+                .When(x => _steps.WhenIGetUrlOnTheApiGateway("/"))
+                .Then(x => _steps.ThenTheStatusCodeShouldBe(HttpStatusCode.OK))
+                .BDDfy();
+        }
+
+        [Fact]
+        public void should_return_response_403_using_identity_server_with_scope_not_allowed()
+        {
+            var configuration = new FileConfiguration
+            {
+                ReRoutes = new List<FileReRoute>
+                    {
+                        new FileReRoute
+                        {
+                            DownstreamPathTemplate = "/",
+                            DownstreamPort = 51876,
+                            DownstreamHost = "localhost",
+                            DownstreamScheme = "http",
+                            UpstreamPathTemplate = "/",
+                            UpstreamHttpMethod = new List<string> { "Get" },
+                            AuthenticationOptions = new FileAuthenticationOptions
+                            {
+                                AllowedScopes =  new List<string>{ "api", "openid", "offline_access" },
+                                Provider = "IdentityServer",
+                                ProviderRootUrl = "http://localhost:51888",
+                                RequireHttps = false,
+                                ApiName = "api",
+                                ApiSecret = "secret"
+                            }
+                        }
+                    }
+            };
+
+            this.Given(x => x.GivenThereIsAnIdentityServerOn("http://localhost:51888", "api", AccessTokenType.Jwt))
+                .And(x => x.GivenThereIsAServiceRunningOn("http://localhost:51876", 200, "Hello from Laura"))
+                .And(x => _steps.GivenIHaveATokenForApiReadOnlyScope("http://localhost:51888"))
+                .And(x => _steps.GivenThereIsAConfiguration(configuration))
+                .And(x => _steps.GivenOcelotIsRunning())
+                .And(x => _steps.GivenIHaveAddedATokenToMyRequest())
+                .When(x => _steps.WhenIGetUrlOnTheApiGateway("/"))
+                .Then(x => _steps.ThenTheStatusCodeShouldBe(HttpStatusCode.Forbidden))
+                .BDDfy();
+        }
+
         private void GivenThereIsAServiceRunningOn(string url, int statusCode, string responseBody)
         {
             _servicebuilder = new WebHostBuilder()
@@ -185,6 +263,7 @@ namespace Ocelot.AcceptanceTests
                                 Scopes = new List<Scope>()
                                 {
                                     new Scope("api"),
+                                    new Scope("api.readOnly"),
                                     new Scope("openid"),
                                     new Scope("offline_access")
                                 },
@@ -209,7 +288,7 @@ namespace Ocelot.AcceptanceTests
                                 ClientId = "client",
                                 AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
                                 ClientSecrets = new List<Secret> {new Secret("secret".Sha256())},
-                                AllowedScopes = new List<string> { apiName, "openid", "offline_access" },
+                                AllowedScopes = new List<string> { apiName, "api.readOnly", "openid", "offline_access" },
                                 AccessTokenType = tokenType,
                                 Enabled = true,
                                 RequireClientSecret = false

test/Ocelot.AcceptanceTests/ClaimsToHeadersForwardingTests.cs

@@ -61,7 +61,7 @@ namespace Ocelot.AcceptanceTests
                             {
 								AllowedScopes = new List<string>
                                 {
-                                    "openid", "offline_access"
+                                    "openid", "offline_access", "api"
                                 },
                                 Provider = "IdentityServer",
                                 ProviderRootUrl = "http://localhost:52888",

test/Ocelot.AcceptanceTests/ClaimsToQueryStringForwardingTests.cs

@@ -61,7 +61,7 @@ namespace Ocelot.AcceptanceTests
                             {
 								AllowedScopes = new List<string>
                                 {
-                                    "openid", "offline_access"
+                                    "openid", "offline_access", "api"
                                 },
                                 Provider = "IdentityServer",
                                 ProviderRootUrl = "http://localhost:57888",

test/Ocelot.UnitTests/Authorization/AuthorisationMiddlewareTests.cs

@@ -25,7 +25,8 @@ namespace Ocelot.UnitTests.Authorization
     public class AuthorisationMiddlewareTests : IDisposable
     {
         private readonly Mock<IRequestScopedDataRepository> _scopedRepository;
-        private readonly Mock<IAuthoriser> _authService;
+        private readonly Mock<IClaimsAuthoriser> _authService;
+        private readonly Mock<IScopesAuthoriser> _authScopesService;
         private readonly string _url;
         private readonly TestServer _server;
         private readonly HttpClient _client;
@@ -36,7 +37,8 @@ namespace Ocelot.UnitTests.Authorization
         {
             _url = "http://localhost:51879";
             _scopedRepository = new Mock<IRequestScopedDataRepository>();
-            _authService = new Mock<IAuthoriser>();
+            _authService = new Mock<IClaimsAuthoriser>();
+            _authScopesService = new Mock<IScopesAuthoriser>();
 
             var builder = new WebHostBuilder()
               .ConfigureServices(x =>
@@ -44,6 +46,7 @@ namespace Ocelot.UnitTests.Authorization
                   x.AddSingleton<IOcelotLoggerFactory, AspDotNetLoggerFactory>();
                   x.AddLogging();
                   x.AddSingleton(_authService.Object);
+                  x.AddSingleton(_authScopesService.Object);
                   x.AddSingleton(_scopedRepository.Object);
               })
               .UseUrls(_url)