next »

[Lu?s T.]

Hi,
We are using Genero Identity Provider and, when requesting an access token, the payload of the Jason Web Token (JWT) the scopes come in a lement called "scopes":

Code:

{
  "sub": "1",
  "exp": 1652111693,
  "nbf": 1652111093,
  "iat": 1652111093,
  "iss": "http://apaxsys004:6394/ws/r/services/GeneroIdentityProvider",
  "aud": "91FEFA49-9317-4723-BC5B-202B5D72E04B",
  "scopes": [
    "query"
  ]
}

All other Authorization Server I tested call the element "scope" (singular), and in every documentation I found, it was singular also. Should I make an exception for GIP or it was a mistake that you will correct?
Thanks

[Lu?s T.]

With further investigations I noticed that, not only the scopes element is named differently ("scopes" instead "scope"), but it is a list of strings instead a string of blank separated words, as it says in the specification:

[Frank G.]

Hi,

 The "scope" or "scopes" parameter in the JWT token is not a standard. Standards are : https://fr.wikipedia.org/wiki/JSON_Web_Token .

In Genero, the "scopes" is mainly used in an access token, to grant access to a REST service or not. It is the IdP that has delivered that token that is in charge to verify it or to provide a library doing the job. In Genero, this is managed by the GeneroAccessService.xcf .

Do you have any issue using Genero libraries with GIP ? What do you want to achieve exactly ?

Regards,
Frank

[Lu?s T.]

Hi Frank,
Thanks for your answer.

What we are developing in our REST services is a OAuth generic support that allows our clients choose to use any IdP of his own or our own IdP (GIP).
That's why we are worrying about standards which I found in the following link: https://datatracker.ietf.org/doc/html/rfc8693#section-4.2.
In any case I can handle this situation, considering a special case when if the token's issuer is the Genero IdP.

Regards
Luis

[Reuben B.]

Hi Luis,

Note that the GIP sources can be found in $FGLDIR/web_utilities/services/gip/src

You can take a copy and modify to meet your requirements.  Just be aware that in doing so, you are then responsible for ongoing maintenance etc.  You may find this preferable to having an IF Genero IdP THEN do something different ...

Reuben

[Lu?s T.]

Thanks Reuben
I opted to trear GIP as special case whene acessing the scopes.
It's better than changing and mantaing the GIP sources
Best Regards
Luis

[Frank G.]

Hi Luis,

 Just to keep you informed, we will support the "scope" parameters in ID and Access token in further Genero releases. As there are other IDPs working this way, we want to be as much compatible as possible. I have registered GIP-123 and GWS-1175.

Regards,

Frank