Why the scope at the JWT is different from the scope at authentication body ?

Follow

Andres Gorostidi Pulgar

September 06, 2018 21:45

WHen I do an authentication request with:

 

authenticationOptions = {

"method":"POST",

"url":WWS_OAUTH_URL,

"auth": {

"user":APP_ID,

"pass":APP_SECRET

},

"form": {

"grant_type":"client_credentials"

}

};

 

I do receive the following answer on the body:

 

{ access_token:

   'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJwZXJtaXNzaW9ucyI6WyJhcHAiXSwic2NvcGUiOlsiYXBwIl0sImlkIjoiNWE3OTkyNjQtYTE1OS00OTFjLWJlNDktNzc0ZTM0OGI0YWNhIiwiZXhwIjoxNTM2MjcwNzE0LCJqdGkiOiI0NzRjMjRjYi0zYzUwLTQxZGEtYjFkZC04ZGMyNGUzODdiMGEiLCJjbGllbnRfaWQiOiI1YTc5OTI2NC1hMTU5LTQ5MWMtYmU0OS03NzRlMzQ4YjRhY2EifQ.RgP_VMM_8-PCE4gNJIO2l1NhpBU2KXcSSd6LQmdbA7a-CBQsqmfCBfu7_RKtRKqPZOuB6Rp4jF6aD64KcSihF53x9ShYHj33Xf7X2KNdC-onRyrGCm4O6TW6QQkjuM91SnAuOajvw8TdAzRt0OjU84fPQ4D-C5rDdGBuoMcd_cyB3sH2kUOVNygYKV-KmRTUP13PdgT-x5Me5ZwADA8uQ20xtqBb8NslHiSjkmR-hBHkNmDXqFABnJ9sAmIpYIHqNrH6_10L4DFfR4_iGhobKRojjF29qaFk5a3vbusaJbcDR3PiAc9lUk2WIhgQwFZM0LNl61DOT8qRYw_C_0u3sg',

  token_type: 'bearer',

  expires_in: 3599,

  id: '5a799264-a159-491c-be49-774e348b4aca',

  jti: '474c24cb-3c50-41da-b1dd-8dc24e387b0a',

  scope:

   'member_modify transcript_read profile_update message_create space_list message_read file_upload space_change file_download space_read profile_read membership_list' }

 

If I go to JWT.IO and post there the token,  i get this:

{
"permissions": [
"app"
],
"scope": [
"app"
],
"id": "5a799264-a159-491c-be49-774e348b4aca",
"exp": 1536270608,
"jti": "1db76e96-4a82-4614-ad18-0ca516b45b20",
"client_id": "5a799264-a159-491c-be49-774e348b4aca"
}

Why do I have two scopes, and what is the difference between them ?  What is the proposal also to have the ID duplicated, on both the body and the JWT?

 

 

0

• 

  Miguel Estrada September 06, 2018 22:01

  https://jwt.io/introduction/  gives some background on JWTs

   

  Now sure what your use case is.  The JWT has a few parts in it.  id = user or app identity.  client_id = appId.  If the JWT has been obtained as above client-credentials then it indicates that the user identity is that of the app and the client that such user is using is also the app. 

  0

  Permalink
• 

  ANDRES GOROSTIDI PULGAR September 08, 2018 10:51

  There is not specific case, it was just curiosity.  I am aware of what JWT is, and the part it has.  In fact, as far as I known, on the JWT payload you optionally can decide to include any field you want,  but I did not understood why the fields are duplicated, and the same info your are providing on the JWT payload is also outside the JWT, on the response body of the request....   Specially on the scope case........  where I have a scope of  'member_modify transcript_read profile_update message_create space_list message_read file_upload space_change file_download space_read profile_read membership_list'  on the body,   and a scope of "app" on the JWT  (that I presume it can aso change to read+write+ibm if you are runing on behalf of an user....).

  I am aware that I only need the entire JWT, I do not need to extract the payload,  and those are information fields that I will not use inside my app , but as said, it was simple curiosity.....

   

  0

  Permalink

Please sign in to leave a comment.