Why is the scope claim included in an M2M Client Credentials token?

Help
, ,
1

Related thread.

For user tokens, the scopes granted to a user role are included in the permissions claim, like this:

{
  "iss": ...,
  "sub": ...,
  "aud": ...,
  "iat": ...,
  "exp": ...,
  "azp": ...,
  "permissions": [
    "some",
    "lovely",
    "scopes"
  ]
}

For M2M tokens, the scopes are included in both the scope (as a string) and permissions (as a list) claims, with identical information:

{
  "iss": ...,
  "sub": ...,
  "aud": ...,
  "iat": ...,
  "exp": ...,
  "azp": ...,
  "scope": "some lovely scopes",
  "gty": "client-credentials",
  "permissions": [
    "some",
    "lovely",
    "scopes"
  ]
}

If I try to remove the scope claim in a hook, the permissions claim also disappears:

{
  "iss": ...,
  "sub": ...,
  "aud": ...,
  "iat": ...,
  "exp": ...,
  "azp": ...,
  "gty": "client-credentials"
}
  1. Why is the permissions information duplicated in the scope claim for M2M tokens?
  2. Why does the scope claim need to be included in M2M tokens for the permissions claim to show up, when it is not required for user tokens?

This duplicate information is making the JWT unnecessarily long, especially when there are quite a few scopes.

Thanks.

1 Like
3

Hi @adamu,

Thanks for providing your feedback. Since this issue has already been covered in the thread you linked (unless I am missing another aspect, please let me know), the best course of action is to express this information to our product team directly through our feedback page.

Using this gateway pushes the information directly to our product management team, ensuring that they hear about your use-case and request.

Thanks!
Dan

4

Hi Dan, thanks for the reply.

I thought using the community forum would be useful for others searching for the same information later.

I wasn’t trying to provide feedback, but more hoping to find the answers to my two questions. If the answer is that the behavior is unintentional and will be improved, great. :slight_smile: I’ll be sure to contact the product team next time :+1:

2 Likes
5

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.