Fix bug in client with no scopes (#830)

Co-authored-by: Paul Sanders <[email protected]>
Co-authored-by: eastandwestwind <[email protected]>

CHANGELOG.md

@@ -40,6 +40,7 @@ The types of changes are:
 * Fix publish_docs CI action [#818](https://github.com/ethyca/fidesops/pull/818)
 * Bump fideslib to handle base64 encoded password [#820](https://github.com/ethyca/fidesops/pull/820)
 * Stop masking uvicorn logs by default [#831](https://github.com/ethyca/fidesops/pull/831)
+* Fix error when there are no scopes in `ClientDetail` [#830](https://github.com/ethyca/fidesops/pull/830)
 
 ## Changed
 * Changed wording on Admin UI login page [#774](https://github.com/ethyca/fidesops/pull/774)

requirements.txt

@@ -10,7 +10,7 @@ fastapi-caching[redis]
 fastapi-pagination[sqlalchemy]~= 0.8.3
 fastapi[all]==0.78.0
 fideslang==1.0.0
-fideslib==2.2.1
+fideslib==2.2.2
 fideslog==1.2.1
 multidimensional_urlencode==0.0.4
 pandas==1.3.3

src/fidesops/api/v1/endpoints/oauth_endpoints.py

@@ -76,7 +76,10 @@ async def acquire_access_token(
     else:
         raise AuthenticationFailure(detail="Authentication Failure")
 
-    client_detail = ClientDetail.get(db, object_id=client_id, config=config)
+    # scopes param is only used if client is root client, otherwise we use the client's associated scopes
+    client_detail = ClientDetail.get(
+        db, object_id=client_id, config=config, scopes=SCOPE_REGISTRY
+    )
 
     if client_detail is None:
         raise AuthenticationFailure(detail="Authentication Failure")

src/fidesops/util/oauth_util.py

@@ -21,6 +21,7 @@
 from starlette.status import HTTP_404_NOT_FOUND
 
 from fidesops.api.deps import get_db
+from fidesops.api.v1.scope_registry import SCOPE_REGISTRY
 from fidesops.api.v1.urn_registry import TOKEN, V1_URL_PREFIX
 from fidesops.core.config import config
 from fidesops.models.policy import PolicyPreWebhook
@@ -138,8 +139,9 @@ async def verify_oauth_client(
     if not client_id:
         raise AuthorizationError(detail="Not Authorized for this action")
 
+    # scopes param is only used if client is root client, otherwise we use the client's associated scopes
     client = ClientDetail.get(
-        db, object_id=client_id, config=config, scopes=security_scopes.scopes
+        db, object_id=client_id, config=config, scopes=SCOPE_REGISTRY
     )
 
     if not client:

tests/api/v1/endpoints/test_oauth_endpoints.py

@@ -390,6 +390,28 @@ def test_invalid_client_secret(self, db, url, api_client):
 
         new_client.delete(db)
 
+    def test_get_access_token_root_client(self, url, api_client):
+        data = {
+            "client_id": config.security.OAUTH_ROOT_CLIENT_ID,
+            "client_secret": config.security.OAUTH_ROOT_CLIENT_SECRET,
+        }
+
+        response = api_client.post(url, data=data)
+        jwt = json.loads(response.text).get("access_token")
+        assert 200 == response.status_code
+        assert (
+            data["client_id"]
+            == json.loads(extract_payload(jwt, config.security.APP_ENCRYPTION_KEY))[
+                JWE_PAYLOAD_CLIENT_ID
+            ]
+        )
+        assert (
+            json.loads(extract_payload(jwt, config.security.APP_ENCRYPTION_KEY))[
+                JWE_PAYLOAD_SCOPES
+            ]
+            == SCOPE_REGISTRY
+        )
+
     def test_get_access_token(self, db, url, api_client):
         new_client, secret = ClientDetail.create_client_and_secret(
             db,