Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: extra claims for rfc7523 grands #3220

Closed
3 of 6 tasks
pflipp opened this issue Aug 19, 2022 · 4 comments
Closed
3 of 6 tasks

feat: extra claims for rfc7523 grands #3220

pflipp opened this issue Aug 19, 2022 · 4 comments
Labels
feat New feature or request.

Comments

@pflipp
Copy link

pflipp commented Aug 19, 2022

Preflight checklist

Describe your problem

With the consent session I provide access-/id token claims which reference for example tenant-ID or group-ID of the user.
in the backend i do token introspection and based on the result i have implemented further rules for authorization (allow/deny access for specific groups) or routing (eg. route user form tenant-ID to service tenant-ID.example.org).

Now I would like to use urn:ietf:params:oauth:grant-type:jwt-bearer tokens to access the backend but the implemented rules will not work as these extra claims are not present.

Describe your ideal solution

provide a "extra_claims" field in the admin endpoint:

POST /trust/grants/jwt-bearer/issuers

{
  ....
  "subject": "bar",
  "extra_claims": {
    "my": "extra claim"
  }
}

in the authorization flow of urn:ietf:params:oauth:grant-type:jwt-bearer the access token session could be enriched with the "extra_claims" and in the end the token introspection would return them:

POST /oauth2/introspect

token=[access-token]

200 OK

{
  "sub": "bar",
  "ext": {
    "my": "extra claim"
  }
}

Workarounds or alternatives

on every request make an additional request to the login provider to ask for this information.

Version

1.11.9

Additional Context

if you think this is a reasonable feature for hydra, i would be up to contribute.
@pflipp pflipp added the feat New feature or request. label Aug 19, 2022
@aeneasr
Copy link
Member

aeneasr commented Nov 1, 2022

True, token exchange currently does not support additional claims! Not sure what the best approach to solve this would be here…

@rahlenjakob
Copy link

rahlenjakob commented Dec 12, 2022
edited
Loading

I have a use case where I want to add dynamic claim values (and keys) depending on several factors (properties sent in the initial requests, properties in the provided JWT token, etc.)

Workarounds or alternatives
on every request make an additional request to the login provider to ask for this information.

IMO the workaround aligns pretty well with the hook approach used for updating refresh token claims - having something similar here would make sense to me.

This aligns very well with #3244

@sgal
Copy link
Contributor

sgal commented May 15, 2023

@pflipp You can use token hook feature to add extra claims during the token exchange. See https://www.ory.sh/docs/hydra/guides/claims-at-refresh

@pflipp
Copy link
Author

pflipp commented May 17, 2023

@sgal thank you for implenting #3244!

I will close this as the workaround with the refresh token hook would work for me

@pflipp pflipp closed this as completed May 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat New feature or request.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pflipp @sgal @aeneasr @rahlenjakob