For user tokens, the scopes granted to a user role are included in the permissions
claim, like this:
{
"iss": ...,
"sub": ...,
"aud": ...,
"iat": ...,
"exp": ...,
"azp": ...,
"permissions": [
"some",
"lovely",
"scopes"
]
}
For M2M tokens, the scopes are included in both the scope
(as a string) and permissions
(as a list) claims, with identical information:
{
"iss": ...,
"sub": ...,
"aud": ...,
"iat": ...,
"exp": ...,
"azp": ...,
"scope": "some lovely scopes",
"gty": "client-credentials",
"permissions": [
"some",
"lovely",
"scopes"
]
}
If I try to remove the scope
claim in a hook, the permissions
claim also disappears:
{
"iss": ...,
"sub": ...,
"aud": ...,
"iat": ...,
"exp": ...,
"azp": ...,
"gty": "client-credentials"
}
- Why is the
permissions
information duplicated in thescope
claim for M2M tokens? - Why does the
scope
claim need to be included in M2M tokens for thepermissions
claim to show up, when it is not required for user tokens?
This duplicate information is making the JWT unnecessarily long, especially when there are quite a few scopes.
Thanks.