Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Scope can now be space delimited in access tokens #482

Merged
merged 5 commits into from
Oct 11, 2020
Merged

feat: Scope can now be space delimited in access tokens #482

merged 5 commits into from
Oct 11, 2020

Conversation

mitar
Copy link
Contributor

@mitar mitar commented Sep 20, 2020
edited
Loading

Related issue

Fixes: #362

Proposed changes

Now one cal call WithScopeField on DefaultJWTStrategy to configure how you want for scopes to be in access token: in old scp list or new scope string.

Checklist

  • I have read the contributing guidelines
  • I have read the security policy
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got green light (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation within the code base (if appropriate)

@mitar
Copy link
Contributor Author

mitar commented Sep 20, 2020

It would be useful I think that we change in all examples this default. But I am not sure this is easy without changing defaults for compose which would be breaking backwards compatibility. Then we could just break backwards compatibility here (which I do think might be reasonable and just use now standardized string by default, while allowing people to configure old behavior with quick code change on their end).

@mitar
Copy link
Contributor Author

mitar commented Sep 30, 2020

@aeneasr ping. :-)

aeneasr
aeneasr reviewed Sep 30, 2020
View reviewed changes
compose/compose_strategy.go Show resolved Hide resolved
handler/oauth2/strategy_jwt.go Outdated Show resolved Hide resolved
handler/oauth2/strategy_jwt.go Outdated Show resolved Hide resolved
@aeneasr
Copy link
Member

aeneasr commented Sep 30, 2020

Grr, I reviewed it but did not click send :D

mitar
mitar commented Oct 7, 2020
View reviewed changes
token/jwt/claims_jwt.go
@@ -102,7 +122,13 @@ func (c *JWTClaims) ToMap() map[string]interface{} {
ret["exp"] = float64(c.ExpiresAt.Unix()) // jwt-go does not support int64 as datatype

if c.Scope != nil {
ret["scp"] = c.Scope
// ScopeField default (when value is JWTScopeFieldUnset) is the list for backwards compatibility with old versions of fosite.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aeneasr Are you sure we want to keep backwards compatibility here? Existing behavior is not by the spec and it can be surprised that JWT tokens looks like they do not have scopes (because you are looking at the standard field). Should we change default here to be by the spec by default?

@mitar mitar requested a review from aeneasr October 7, 2020 04:01
@mitar
Copy link
Contributor Author

mitar commented Oct 7, 2020

I addressed review comments.

aeneasr
aeneasr approved these changes Oct 11, 2020
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome 🎉

@aeneasr aeneasr merged commit 8225935 into ory:master Oct 11, 2020
@mitar
Copy link
Contributor Author

mitar commented Oct 12, 2020

What do you think about making it backwards incompatible?

@mitar mitar deleted the space-scope branch October 12, 2020 02:11
@aeneasr
Copy link
Member

aeneasr commented Oct 13, 2020

Given how long fosite and hydra are around I'm not really a fan of making this backwards incompatible. Theoretically, we could at some point deprecate it and then remove it but it would need at least a couple of iterations and 6 months transition time.

@mitar
Copy link
Contributor Author

mitar commented Oct 13, 2020

I would not remove it, but change the default. I find it problematic that even for new installs people will have non-standard behavior. Maybe we should at least document this somewhere and update all examples? But I am not sure if we have JWT example at all.

@aeneasr
Copy link
Member

aeneasr commented Oct 20, 2020

Ok, that makes sense to me!

@mitar
Copy link
Contributor Author

mitar commented Oct 20, 2020

So you are saying we should document this and and update examples? And not change default? But do we have a JWT example? So it is just updating documentation somewhere?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

scope in access token is not space delimited
2 participants
@mitar @aeneasr