#talk-hydra
Title
t
thankful-postman-1700
03/05/2022, 11:20 AMJust one question when using jwt-bearer is the final scope the intersection of client_id scope, jwt-bearer scope and token endpoint scope?
p
proud-plumber-24205
03/07/2022, 1:04 PMHi @User
Not actually sure what the question is. The scopes you give it is optional when using the
urn:ietf:params:oauth:grant-type:jwt-bearert
thankful-postman-1700
03/07/2022, 1:22 PMHi Alano,
I solved the authentication. However the behavior is really weird, I have open an issue on github https://github.com/ory/hydra/issues/3030 .
But to summarize my question that is in the issue: We need currently to 1st setup a client, 2nd Generate A JWT-Bearer conf, and 3rd Authenticate with oauth2/token and in each part we can specify a scope. So for regular oauth2 workflow the resulting scope in the access_token is the intersection of what is specified in the client configuration and in the token authorization request. So I was expecting that as we have with JWT-Bearer a intermediate step, to have Client Conf scope ^ JWT-BearerConf scope ^ Token Authorization scope, but it is not the case next to my tests.
As I was not finding anything in the doc nor the RFCs, I just want to ensure that this is the intended behavior and it is considered as stable.
p
proud-plumber-24205
03/07/2022, 2:07 PMI think (from briefly reading the spec) the scopes are just validated against what is in the client conf. So if you created a client conf, there you can define the scopes you allow. It is now up to the client sending the JWT to define which scopes should be added to the token. Thus if you don't specify any scopes in the request to the
/oauth2/tokent
thankful-postman-1700
03/07/2022, 2:30 PM"the scopes are just validated against what is in the client conf" : then that's not the case with jwt-bearer in real hydra usage, so maybe there is a bug. Don't worry about this I will keep an eye on github. Thanks for your help BTW.
2 Views