You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With the consent session I provide access-/id token claims which reference for example tenant-ID or group-ID of the user.
in the backend i do token introspection and based on the result i have implemented further rules for authorization (allow/deny access for specific groups) or routing (eg. route user form tenant-ID to service tenant-ID.example.org).
Now I would like to use urn:ietf:params:oauth:grant-type:jwt-bearer tokens to access the backend but the implemented rules will not work as these extra claims are not present.
Describe your ideal solution
provide a "extra_claims" field in the admin endpoint:
in the authorization flow of urn:ietf:params:oauth:grant-type:jwt-bearer the access token session could be enriched with the "extra_claims" and in the end the token introspection would return them:
POST /oauth2/introspect
token=[access-token]
200 OK
{
"sub": "bar",
"ext": {
"my": "extra claim"
}
}
Workarounds or alternatives
on every request make an additional request to the login provider to ask for this information.
Version
1.11.9
Additional Context
if you think this is a reasonable feature for hydra, i would be up to contribute.
The text was updated successfully, but these errors were encountered:
I have a use case where I want to add dynamic claim values (and keys) depending on several factors (properties sent in the initial requests, properties in the provided JWT token, etc.)
Workarounds or alternatives
on every request make an additional request to the login provider to ask for this information.
IMO the workaround aligns pretty well with the hook approach used for updating refresh token claims - having something similar here would make sense to me.
Preflight checklist
Describe your problem
With the consent session I provide access-/id token claims which reference for example tenant-ID or group-ID of the user.
in the backend i do token introspection and based on the result i have implemented further rules for authorization (allow/deny access for specific groups) or routing (eg. route user form tenant-ID to service tenant-ID.example.org).
Now I would like to use
urn:ietf:params:oauth:grant-type:jwt-bearer
tokens to access the backend but the implemented rules will not work as these extra claims are not present.Describe your ideal solution
provide a "extra_claims" field in the admin endpoint:
in the authorization flow of
urn:ietf:params:oauth:grant-type:jwt-bearer
the access token session could be enriched with the "extra_claims" and in the end the token introspection would return them:Workarounds or alternatives
on every request make an additional request to the login provider to ask for this information.
Version
1.11.9
Additional Context
if you think this is a reasonable feature for hydra, i would be up to contribute.
The text was updated successfully, but these errors were encountered: