Reputation: 24128
Is it OK to include the OAuth scopes inside a JWT?
I am adding an OAuth authorization server endpoint to my existing application. I am planing to issue JWTs from the OAuth token endpoint.
When a token issued for specific OAuth scopes, it looks better to embed the scopes for which the token is issued inside the token itself, because it is easier to validate whether the token has access to perform a certain action by looking at the token, when the client uses the issued token later to perform some action.
But, the standard claim fields of a JWT doesn't seem to include a suitable field to stamp the OAuth scopes.
So, would it be OK to include the scopes as custom claims in the JWT? Is there any other way to embed the scope details in the JWT?
Upvotes: 3
Views: 9133
Answers (2)
Reputation: 7070
There is now JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens draft (and probably soon standard) which many already use in practice. In section 2.2.2 it explicitly states that:
If an authorization request includes a scope parameter, the corresponding issued JWT access token MUST include a scope claim as defined in section 4.2 of [TokenExchange].
All the individual scopes strings in the scope claim MUST have meaning for the resource indicated in the aud claim.
So not only that it is allowed to have scope claim, but it is even required if the request had one.
Upvotes: 1
Reputation: 13077
JWT specification - RFC7519 provide you the ability to insert and use non-standard/registered claims. This is highlighted 4.3. Private Claim Names section of the specification.
A producer and consumer of a JWT MAY agree to use Claim Names that are Private Names: names that are not Registered Claim Names (Section 4.1) or Public Claim Names (Section 4.2). Unlike Public Claim Names, Private Claim Names are subject to collision and should be used with caution.
Also, if you are after standard registered claims, they can be found here - https://www.iana.org/assignments/jwt/jwt.xhtml
Alternatively, if you are only interested to use standard claims and use only them with JWT Access Token (I assume JWT you refer is an access token), then you can define a token introspection endpoint and put scope values to its response. Scope is defined as a standard response parameter to introspection response
Upvotes: 3
Related Questions
- May an OAuth 2.0 access token be a JWT?
- OAuth-2.0/JWT - guidance about when to use scope vs roles
- Confusion with OIDC and access token scopes
- When authenticating with a JWT should custom scope(permissions/claims) go in access token or id token?
- Scope handling in OAuth2 protocol
- JWT access token security considerations
- Best practices for handling access tokens and scopes for OAuth2 implementation?
- OAuth 2.0 Scope parameter vs OAuth 2.0 JWT access_token scope claim
- Oauth2 access token specifications and handling scope
- OAuth 2 Server Associating Scopes with Users?