Is it OK to include the OAuth scopes inside a JWT?

3
votes

I am adding an OAuth authorization server endpoint to my existing application. I am planing to issue JWTs from the OAuth token endpoint.

When a token issued for specific OAuth scopes, it looks better to embed the scopes for which the token is issued inside the token itself, because it is easier to validate whether the token has access to perform a certain action by looking at the token, when the client uses the issued token later to perform some action.

But, the standard claim fields of a JWT doesn't seem to include a suitable field to stamp the OAuth scopes.

So, would it be OK to include the scopes as custom claims in the JWT? Is there any other way to embed the scope details in the JWT?

2
oauth-2.0jwtaccess-token
Short answer: yes, nothing prevent you from creating custom claims that are understood by your clients or serverSpomky-Labs
@FlorentMorselli Since OAuth is prominent for authorization, I expected JWT to have some special support to OAuth. Please post your comment as an answer so I can accept it.Lahiru Chandima

2 Answers

3
votes

JWT specification - RFC7519 provide you the ability to insert and use non-standard/registered claims. This is highlighted 4.3. Private Claim Names section of the specification.

A producer and consumer of a JWT MAY agree to use Claim Names that are Private Names: names that are not Registered Claim Names (Section 4.1) or Public Claim Names (Section 4.2). Unlike Public Claim Names, Private Claim Names are subject to collision and should be used with caution.

Also, if you are after standard registered claims, they can be found here - https://www.iana.org/assignments/jwt/jwt.xhtml

Alternatively, if you are only interested to use standard claims and use only them with JWT Access Token (I assume JWT you refer is an access token), then you can define a token introspection endpoint and put scope values to its response. Scope is defined as a standard response parameter to introspection response

0
votes

There is now JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens draft (and probably soon standard) which many already use in practice. In section 2.2.2 it explicitly states that:

If an authorization request includes a scope parameter, the corresponding issued JWT access token MUST include a scope claim as defined in section 4.2 of [TokenExchange].

All the individual scopes strings in the scope claim MUST have meaning for the resource indicated in the aud claim.

So not only that it is allowed to have scope claim, but it is even required if the request had one.