-
-
Notifications
You must be signed in to change notification settings - Fork 358
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Scope can now be space delimited in access tokens #482
Conversation
It would be useful I think that we change in all examples this default. But I am not sure this is easy without changing defaults for |
@aeneasr ping. :-) |
Grr, I reviewed it but did not click send :D |
@@ -102,7 +122,13 @@ func (c *JWTClaims) ToMap() map[string]interface{} { | |||
ret["exp"] = float64(c.ExpiresAt.Unix()) // jwt-go does not support int64 as datatype | |||
|
|||
if c.Scope != nil { | |||
ret["scp"] = c.Scope | |||
// ScopeField default (when value is JWTScopeFieldUnset) is the list for backwards compatibility with old versions of fosite. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aeneasr Are you sure we want to keep backwards compatibility here? Existing behavior is not by the spec and it can be surprised that JWT tokens looks like they do not have scopes (because you are looking at the standard field). Should we change default here to be by the spec by default?
I addressed review comments. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome 🎉
What do you think about making it backwards incompatible? |
Given how long fosite and hydra are around I'm not really a fan of making this backwards incompatible. Theoretically, we could at some point deprecate it and then remove it but it would need at least a couple of iterations and 6 months transition time. |
I would not remove it, but change the default. I find it problematic that even for new installs people will have non-standard behavior. Maybe we should at least document this somewhere and update all examples? But I am not sure if we have JWT example at all. |
Ok, that makes sense to me! |
So you are saying we should document this and and update examples? And not change default? But do we have a JWT example? So it is just updating documentation somewhere? |
Related issue
Fixes: #362
Proposed changes
Now one cal call
WithScopeField
onDefaultJWTStrategy
to configure how you want for scopes to be in access token: in oldscp
list or newscope
string.Checklist
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got green light (please contact
[email protected]) from the maintainers to push
the changes.