Conversation
peppelinux
approved these changes
Jan 20, 2023
| "acr": SINGLE_OPTIONAL_STRING, | ||
| "amr": OPTIONAL_LIST_OF_STRINGS, | ||
| 'scope': OPTIONAL_LIST_OF_SP_SEP_STRINGS, | ||
| 'groups': OPTIONAL_LIST_OF_STRINGS, |
Member
There was a problem hiding this comment.
is the subject of the access token the RP or the user?
Member
There was a problem hiding this comment.
are you asking what the sub refers to?
or, what the groups refer to?
In both cases it is the user:
- the user has the
subidentifier - the user is a member of the presented
groups
Reference: https://www.rfc-editor.org/rfc/rfc7643.html#page-23
groups
A list of groups to which the user belongs, either through direct
membership, through nested groups, or dynamically calculated. The
values are meant to enable expression of common group-based or
role-based access control models, although no explicit
authorization model is defined. It is intended that the semantics
of group membership and any behavior or authorization granted as a
result of membership are defined by the service provider. The
canonical types "direct" and "indirect" are defined to describe
how the group membership was derived. Direct group membership
indicates that the user is directly associated with the group and
SHOULD indicate that clients may modify membership through the
"Group" resource. Indirect membership indicates that user
membership is transitive or dynamic and implies that clients
cannot modify indirect group membership through the "Group"
resource but MAY modify direct group membership through the
"Group" resource, which may influence indirect memberships. If
the SCIM service provider exposes a "Group" resource, the "value"
Contributor
Author
There was a problem hiding this comment.
Yes, sub is the user. The client appears in client_id and possibly also in aud.
Member
|
Note that RFC9068 is only a profile; ie, a flavour of a JWT access-token. It is not the only possible format and other profiles should be acceptable. |
Contributor
Author
|
Interesting comment about profiles. I do agree we should allow more the one format. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The class JWTToken was just assuming the payload to be a dict not following any specific format.
Changed the class to use RFC9068 as model for the payload.