https://www.ory.sh/ logo
#talk-hydra
Title
# talk-hydra
t

thankful-postman-1700

03/05/2022, 11:20 AM
Just one question when using jwt-bearer is the final scope the intersection of client_id scope, jwt-bearer scope and token endpoint scope?
p

proud-plumber-24205

03/07/2022, 1:04 PM
Hi @User Not actually sure what the question is. The scopes you give it is optional when using the
urn:ietf:params:oauth:grant-type:jwt-bearer
grant. https://www.ory.sh/docs/hydra/guides/oauth2-grant-type-jwt-bearer#exchanging-jwts-for-access-tokens
t

thankful-postman-1700

03/07/2022, 1:22 PM
Hi Alano,
I solved the authentication. However the behavior is really weird, I have open an issue on github https://github.com/ory/hydra/issues/3030 .
But to summarize my question that is in the issue: We need currently to 1st setup a client, 2nd Generate A JWT-Bearer conf, and 3rd Authenticate with oauth2/token and in each part we can specify a scope. So for regular oauth2 workflow the resulting scope in the access_token is the intersection of what is specified in the client configuration and in the token authorization request. So I was expecting that as we have with JWT-Bearer a intermediate step, to have Client Conf scope ^ JWT-BearerConf scope ^ Token Authorization scope, but it is not the case next to my tests.
As I was not finding anything in the doc nor the RFCs, I just want to ensure that this is the intended behavior and it is considered as stable.
p

proud-plumber-24205

03/07/2022, 2:07 PM
I think (from briefly reading the spec) the scopes are just validated against what is in the client conf. So if you created a client conf, there you can define the scopes you allow. It is now up to the client sending the JWT to define which scopes should be added to the token. Thus if you don't specify any scopes in the request to the
/oauth2/token
post then it will just be empty.
t

thankful-postman-1700

03/07/2022, 2:30 PM
"the scopes are just validated against what is in the client conf" : then that's not the case with jwt-bearer in real hydra usage, so maybe there is a bug. Don't worry about this I will keep an eye on github. Thanks for your help BTW.
2 Views