Problem/Motivation

We do not properly implement the RFC when it comes to the naming of the scope claim.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

We might need to send both scope and scopes for some period to allow for clients to update their implementation.

Data model changes

CommentFileSizeAuthor
#2 3247846-2-rename-scopes-to-scop-in-jwt-payload.patch614 bytessanduhrs

Comments

sanduhrs created an issue. See original summary.

sanduhrs’s picture

sanduhrs
he/him
Primary language German
Location 🇪🇺 Heidelberg, Germany, Europe
commented
Status: Active » Needs review
StatusFileSize
new 3247846-2-rename-scopes-to-scop-in-jwt-payload.patch614 bytes

Status: Needs review » Needs work

The last submitted patch, 2: 3247846-2-rename-scopes-to-scop-in-jwt-payload.patch, failed testing. View results
- codesniffer_fixes.patch Interdiff of automated coding standards fixes only.

bradjones1’s picture

bradjones1
Primary language English
commented
Status: Needs work » Closed (won't fix)

This is properly scope per the RFC.

sanduhrs’s picture

sanduhrs
he/him
Primary language German
Location 🇪🇺 Heidelberg, Germany, Europe
commented
Status: Closed (won't fix) » Active

Well, in the JWT it's called sopes:
https://git.drupalcode.org/project/simple_oauth/-/blob/5.x/src/Entities/...

bradjones1’s picture

bradjones1
Primary language English
commented
Title: Rename scopes to scope in JWT payload » [BC break] Rename scopes to scope in JWT payload
Issue summary: View changes
Issue tags: +Spec Compliance, +BC break

Ack, you're right, I should not farm the issue queue on no sleep. Thank you.

This is a BC break so marking as such.

bradjones1’s picture

bradjones1
Primary language English
commented
Priority: Normal » Major

Marking major since this is out of spec compliance.

bradjones1’s picture

bradjones1
Primary language English
commented

So I'm actually a little torn on this; the OAuth 2 standard is actually silent on the claims in a JWT used as an auth token, because auth token contents are up to the implementation. See RFC 6750, et. al.

However, scope is registered in the IANA claim names registry, but only in the context of token exchange. I actually implemented this extension grant time on a Drupal site recently, so I'm familiar with the flow. However, most people don't implement this nor do they care where the standards come from.

I'm apt to change this "anyway," but I do want to be on the record here saying it is a choice, and is likely to be a disruptive change for someone out there. That said, I think this is the right thing to do, especially as it is in line with the token exchange RFC as well.

See draft release note for 5.1.0: https://www.drupal.org/node/3255523

It's also worth noting that we probably fall short of the spec when it comes to returning a response parameter (not to be confused with the JWT claim) when requested scopes are not granted for some reason. I've noted this at https://www.drupal.org/project/simple_oauth/issues/2958159#comment-14355254

  • bradjones1 committed ed445f7 on 5.1.x authored by sanduhrs 
    Issue #3247846 by sanduhrs, bradjones1: [BC break] Rename scopes to...
bradjones1’s picture

bradjones1
Primary language English
commented
Status: Active » Fixed

Committed to 5.1.x.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.