feat(config-api): feature wise admin scope for endpoints by pujavs · Pull Request #12736 · JanssenProject/jans (original) (raw)

71-77: LGTM — Systematic addition of admin-level scopes follows RBAC best practices.

The security scope additions are comprehensive and consistent across all 128 endpoint operations:

• Admin scopes (.admin) added alongside existing CRUD scopes for feature-level administration
• Super-admin scopes (read-all, write-all, delete-all) added appropriately for cross-feature access
• Namespace consistency maintained: /oauth/config/, /oauth/jans-auth-server/, /oauth/client/
• Hierarchical access model implemented: admin > write > read
• Feature grouping logical: e.g., agama.admin covers both agama-deployment and agama-repo

Special cases correctly handled:

• https://jans.io/auth/ssa.admin uses /auth/ namespace (managed by jans-auth component, as per learnings)
• https://jans.io/oauth/client/authorizations.admin uses /client/ namespace (consistent with prior fix)

The scope descriptions in the securitySchemes section (lines 18618-18678) provide clear documentation for all new admin scopes.

Based on learnings: This swagger file is auto-generated from Java source. The scope naming convention intentionally excludes the "jans-" prefix.

Also applies to: 198-204, 230-241, 285-292, 325-336, 380-387, 411-418, 449-460, 537-544, 579-590, 619-630, 656-667, 697-708, 763-775, 810-818, 856-868, 897-909, 1023-1035, 1064-1076, 1105-1117, 1167-1175, 1240-1248, 1303-1311, 1454-1465, 1550-1557, 1644-1651, 1712-1723, 1745-1752, 1821-1828, 1883-1894, 1912-1923, 1958-1965, 1985-1996, 2021-2032, 2084-2095, 2162-2169, 2194-2205, 2242-2249, 2286-2293, 2322-2333, 2380-2387, 2428-2435, 2463-2474, 2517-2524, 2564-2571, 2604-2615, 2668-2675, 2720-2727, 2762-2769, 2888-2897, 3565-3578, 3792-3801, 4012-4021, 4166-4177, 4199-4208, 4367-4376, 4394-4405, 4434-4441, 4470-4481, 4533-4540, 4590-4597, 4610-4617, 4646-4653, 4770-4781, 4855-4862, 4945-4952, 4975-4982, 5022-5029, 5082-5093, 5146-5157, 5245-5256, 5304-5315, 5418-5429, 10907-10918, 10983-10994, 11016-11023, 11079-11086, 11126-11137, 11203-11210, 11269-11276, 11335-11342, 11387-11398, 11469-11476, 11547-11554, 11602-11613, 11638-11645, 11706-11713, 11743-11752, 11781-11792, 11837-11844, 11866-11877, 11910-11917, 11939-11950, 11981-11988, 12021-12028, 12050-12061, 12092-12099, 12132-12139, 12172-12183, 12235-12242, 12280-12289, 12314-12323, 12458-12469, 12546-12553, 12626-12633, 13010-13021, 13043-13050, 13116-13123, 13496-13507, 13881-13892, 13923-13932, 13955-13962, 13986-13993, 14095-14104, 14255-14264, 14291-14300, 14348-14359, 14543-14554, 14603-14614, 14639-14648, 14869-14880, 14996-15008, 15068-15076, 15132-15140, 15184-15196, 15217-15225, 15280-15288, 15350-15362, 18618-18678

12293-12294: Documentation improvement: endpoint description now accurate.

The endpoint summary and description were updated from "Get all plugins" to "Check if plugin is deployed", which correctly reflects that this endpoint queries a specific plugin by name (path parameter {pluginName}), not all plugins.

18483-18490: No issue found - accessToken boolean field is correctly generated.

The accessToken field in the swagger schema is auto-generated from the isAccessToken() method in TokenEntity.java (lines 230-233), which computes a boolean value based on the tokenType. Jackson/Swagger automatically serializes isAccessToken() as accessToken: boolean following standard JSON naming conventions. Similarly, isLogoutStatusJwt() is serialized as logoutStatusJwt: boolean. These are computed properties, not direct fields, so the boolean type and naming are semantically correct and require no changes.