Determining unnecessary permissions for an OAuth Client #46
Description
Are there permissions added to an OAuth Client that aren't being used? Answering this question will allow people to remove them, and adhere to the Principal of Least Privilege.
Approach
- Add or enhance a tool to list permissions assigned to an OAuth Client or Role.
- Download OpenAPI Spec for Platform API: https://api.mypurecloud.com/api/v2/docs/swagger
https://api.{region}/api/v2/docs/swagger
- Extract the permissions based on the
x-inin-requires-permissionsproperty - Return those permissions based on the endpoint
Considerations
- The OpenAPI Spec is large, so perhaps preprocess at build time?
- Mark as possibly inaccurate in tool schema? This is because the OpenAPI specs may be out of date, or missing permissions
Excerpt from OpenAPI Spec
"/api/v2/usage/events/definitions": {
"get": {
"tags": [
"Operational Events"
],
"summary": "Get all operational event definitions",
"description": "",
"operationId": "getUsageEventsDefinitions",
"produces": [
"application/json"
],
"parameters": [],
"responses": {
"200": {
"description": "successful operation",
"schema": {
"$ref": "#/definitions/EventDefinitionListing"
}
}
//...
},
"security": [
{
"PureCloud OAuth": [
"usage",
"usage:readonly"
]
}
],
"x-inin-requires-permissions": {
"type": "ALL",
"permissions": [
"usage:events:view"
]
},
"x-purecloud-method-name": "getUsageEventsDefinitions"
}
}Metadata
Metadata
Assignees
Labels
No labels