英文:
Updating jwt scope in token after it has been signed
问题
一个令牌是这样创建的:
"oauth": {
"client_id": "...",
"redirect_uri": "...",
"scope": "p1 p2 p3 p4 p5",
"state": "...",
"code_challenge": "...",
"code_challenge_method": "..."
}
这将返回一个带有范围选项的已签名 JWT 令牌。
我想要在声明中更新带有“selected_person”的已签名 JWT,例如 p1,因此我调用刷新令牌 URL,传入刷新令牌和范围“p1”,在后端执行一些逻辑并设置人员 ID。然后,这会将人员 ID 添加到新签名的令牌中,一切都很好:
例如:/token?client_id=x&grant_type=y&refresh_token=y&scope=p1
可以使用最初定义的任何范围(p1、p2 等)之一调用相同的端点,因为 Spring 会将范围与最初的范围列表进行比较,并在匹配时返回刷新令牌。
问题出现在将新的人员链接到我时,现在我可能会有 p6。由于每个刷新令牌调用都基于第一个列表,p6 不存在,将不被允许。如果我注销并获取新令牌,那么 p6 就会被添加到范围中。
有没有办法在不注销的情况下将 p6 添加到范围中?
编辑:
最终是否有办法更新最初授予的范围?
英文:
A token is created with:
"oauth": {
"client_id": "...",
"redirect_uri": "...",
"scope": "p1 p2 p3 p4 p5",
"state": "...",
"code_challenge": "...",
"code_challenge_method": "..."
}
This returns a signed jwt token with the scope options.
I want to update the signed jwt with a 'selected_person' int the claims, say p1, so i call the refresh token url passing in the refresh token and scope 'p1', do some logic on the backend and set the person id. This then adds the person id to a newly signed token, all is good:
eg. /token?client_id=x&grant_type=y&refresh_token=y&scope=p1
It's possible to call the same endpoint with any of the scopes first defined (p1, p2 etc) as Spring will compare the scope to the initial list of scopes and return a refresh token if it matches.
The problem arises when a new person gets linked to me, so now i would have p6. As each refresh token call is based on the first list, p6 does not exists and will not be allowed. If i logout and get a new token then p6 gets added to the scope.
Is there anyway i can add p6 to the scope without loggin out?
EDIT:
Ultimately is there a way to update originally granted scopes?
答案1
得分: 0
经过大量的寻找答案和解决方案,要实现这个需求,只能在不注销的情况下简单地按照文档所述进行操作:
scope(可选)
请求的范围不能包括未在原始访问令牌中发行的附加范围。通常情况下,这不会包含在请求中;如果省略,则服务应发行一个具有与先前发行的访问令牌相同范围的访问令牌。
参考:https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/
英文:
After lots of digging for answers and solutions, the requirement is simply not possible without logging out. As the documentation dictates
> scope (optional)
>
> The requested scope must not include additional
> scopes that were not issued in the original access token. Typically
> this will not be included in the request, and if omitted, the service
> should issue an access token with the same scope as was previously
> issued.
Ref: https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/
答案2
得分: 0
@dale,您可以尝试稍微不同的方法,其中您将保持内部范围的映射。但您必须接受初始范围作为群组。然而,您尝试实现的目标由于两个原因而不起作用。
- 您正试图更改一个已签署的文档,这将使文档(JWT)失效。但这实际上并不重要,因为它仅供您使用。
- 如果后续的 API 调用与授权范围相关联,这些调用将无法对您进行验证。
英文:
@dale You could try a slightly different method where you hold an internal mapping to the scope. But you would have to accept initials scopes as groups. However, what you are trying to achieve will not work for two reasons.
- You are trying to change a signed document which will invalidate the document (JWT). but that doesn't really matter as it is for your use only.
- If the subsequent API calls are linked to authorized scopes, the calls will not validate for you.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论