Watson Workspace will no longer be available after February 28, 2019. Learn more.

Developers

  1. Watson Workspace Help Center
  2. Community
  3. Developers

Why the scope at the JWT is different from the scope at authentication body ?

Follow
Avatar
Andres Gorostidi Pulgar

WHen I do an authentication request with:

 

authenticationOptions = {
"method":"POST",
"url":WWS_OAUTH_URL,
"auth": {
"user":APP_ID,
"pass":APP_SECRET
},
"form": {
"grant_type":"client_credentials"
}
};
 
I do receive the following answer on the body:
 

{ access_token:

   'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJwZXJtaXNzaW9ucyI6WyJhcHAiXSwic2NvcGUiOlsiYXBwIl0sImlkIjoiNWE3OTkyNjQtYTE1OS00OTFjLWJlNDktNzc0ZTM0OGI0YWNhIiwiZXhwIjoxNTM2MjcwNzE0LCJqdGkiOiI0NzRjMjRjYi0zYzUwLTQxZGEtYjFkZC04ZGMyNGUzODdiMGEiLCJjbGllbnRfaWQiOiI1YTc5OTI2NC1hMTU5LTQ5MWMtYmU0OS03NzRlMzQ4YjRhY2EifQ.RgP_VMM_8-PCE4gNJIO2l1NhpBU2KXcSSd6LQmdbA7a-CBQsqmfCBfu7_RKtRKqPZOuB6Rp4jF6aD64KcSihF53x9ShYHj33Xf7X2KNdC-onRyrGCm4O6TW6QQkjuM91SnAuOajvw8TdAzRt0OjU84fPQ4D-C5rDdGBuoMcd_cyB3sH2kUOVNygYKV-KmRTUP13PdgT-x5Me5ZwADA8uQ20xtqBb8NslHiSjkmR-hBHkNmDXqFABnJ9sAmIpYIHqNrH6_10L4DFfR4_iGhobKRojjF29qaFk5a3vbusaJbcDR3PiAc9lUk2WIhgQwFZM0LNl61DOT8qRYw_C_0u3sg',

  token_type: 'bearer',

  expires_in: 3599,

  id: '5a799264-a159-491c-be49-774e348b4aca',

  jti: '474c24cb-3c50-41da-b1dd-8dc24e387b0a',

  scope:

   'member_modify transcript_read profile_update message_create space_list message_read file_upload space_change file_download space_read profile_read membership_list' }

 

If I go to JWT.IO and post there the token,  i get this:

{
"permissions": [
"app"
],
"scope": [
"app"
],
"id": "5a799264-a159-491c-be49-774e348b4aca",
"exp": 1536270608,
"jti": "1db76e96-4a82-4614-ad18-0ca516b45b20",
"client_id": "5a799264-a159-491c-be49-774e348b4aca"
}

Why do I have two scopes, and what is the difference between them ?  What is the proposal also to have the ID duplicated, on both the body and the JWT?

 
 
0

Comments

2 comments

Sort by Date Votes
  • Avatar
    Miguel Estrada

    https://jwt.io/introduction/  gives some background on JWTs

     

    Now sure what your use case is.  The JWT has a few parts in it.  id = user or app identity.  client_id = appId.  If the JWT has been obtained as above client-credentials then it indicates that the user identity is that of the app and the client that such user is using is also the app. 

    0
    Permalink
  • Avatar
    ANDRES GOROSTIDI PULGAR

    There is not specific case, it was just curiosity.  I am aware of what JWT is, and the part it has.  In fact, as far as I known, on the JWT payload you optionally can decide to include any field you want,  but I did not understood why the fields are duplicated, and the same info your are providing on the JWT payload is also outside the JWT, on the response body of the request....   Specially on the scope case........  where I have a scope of  'member_modify transcript_read profile_update message_create space_list message_read file_upload space_change file_download space_read profile_read membership_list'  on the body,   and a scope of "app" on the JWT  (that I presume it can aso change to read+write+ibm if you are runing on behalf of an user....).

    I am aware that I only need the entire JWT, I do not need to extract the payload,  and those are information fields that I will not use inside my app , but as said, it was simple curiosity.....

     

    0
    Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post