When doing OAuth2 introspection, does it verify the ID token and pass the scopes through via the JWT? (Ideally I'd prefer to check the scopes on my app instead of on the Oathkeeper proxy)

Hello @creamy-fall-97349 I havent personally done this, so you have to help me a bit. You want to use oauth2_introspection to verify the request? That would check if the token is valid and also if the scopes granted are correct. IMO it makes sense that this would be checked on the authentication part. Keep in mind that scopes are not a “permission”. But maybe there is something about your use case I am missing now.

So basically, we have a team that manages our infrastructure and a team that develops the apps, the team that develops our apps want to validate and verify the scopes themselves from the JWT, it saves them having to tell the infrastructure team what routes need what

How do they check the scopes now without Oathkeeper?

So essentially, I just want oathkeeper to validate the access token, provide subject ID In the jwt as well as the scopes for the access token

Yes that makes sense, and its for sure possible. Knowing nothing about your app, what do you pass on to the app after Oathkeeper? You could write the scope into the header and pass it on like that maybe 🤔 Would that work in your opinion @creamy-fall-97349?

@magnificent-energy-493 something like that would work, but the scope of the token isn’t available through introspection? The idea is to just create a proxy which just wildcards routes and have the permissions and scoped checked on the app