Add support for setting claims in clientcredential access tokens #1383
Comments
|
It would be quite difficult to achieve that with the feature set right now because claims should only be set by the Authorization Server (or one of it's sources, e.g. the IDP) and never by a client. Therefore:
It would therefore require some other means of setting this data. |
|
This is a very useful feature that comes up sooner or later in almost every real-life application using OIDC. Apps very often need service accounts. Many OIDC providers currently allow them via client_credentials flow (including KeyCloak, Connect2Id, Google's OIDC and others).
That being said, of course, it could be more convenient if Hydra could ask some external app for client's claims similarly to what it currently does with login and consent apps. But this probably needs much more intervention into the code (and sways further away from the main purpose of Hydra, i.e., implementing protocol) than simply allowing to specify client's claims on client creation. |
|
@aeneasr Is it possible to solve this by introducing configurable webhook which can be called when there is a If it is configured Hydra could Such approach seems to be consistent with what Hydra already does. |
|
@svrakitin have you seen #1748 ? I think it makes a tad more sense as it kinda decouples the two components. We might still be able to add some function which does a HTTP request to the jsonnet though! |
|
@aeneasr As for the second step: the solution via a hook aka "client_credentials_claims-app" proposed here in my opinion still looks much more flexible than jsonnet and more in line with Hydra's approach. (Of course, again it is a good idea to disallow defining such a hook on public client registration.) The only real benefit of jsonnet seems to be the speed of token issuing. But token issuing is rarely a bottleneck, instead token interpolation/userinfo requests usually are. |
|
Hm I think it would be better to have a dedicated endpoint where admin access allows to specify client claims. You can then update the client when changes are needed, instead of Hydra requesting info on every client request. So push instead of pull :) |
|
Hello contributors! I am marking this issue as stale as it has not received any engagement from the community or maintainers a year. That does not imply that the issue has no merit! If you feel strongly about this issue
Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic. Unfortunately, burnout has become a topic of concern amongst open-source projects. It can lead to severe personal and health issues as well as opening catastrophic attack vectors. The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone. If this issue was marked as stale erroneous you can exempt it by adding the Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you! Thank you 🙏✌️ |
github-actions
bot
added
the
stale
aeneasr
removed
the
stale
|
Hello contributors! I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue
Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic. Unfortunately, burnout has become a topic of concern amongst open-source projects. It can lead to severe personal and health issues as well as opening catastrophic attack vectors. The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone. If this issue was marked as stale erroneously you can exempt it by adding the Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you! Thank you 🙏✌️ |
github-actions
bot
added
the
stale
|
Unstale please |
github-actions
bot
removed
the
stale
|
hello for those who need this feature(injecting client's metadata to JWT access tokens), I have created this in my own fork so feel free to use also deliberately would love if people used less interfaces according to core Go philosophy :/ |
|
This is implemented via token webhooks. |
Is your feature request related to a problem? Please describe.
I have a variety of internal applications which have various metadata they require when a token shows up. Specifically this is problematic for "bot" users. I have bot or service-accounts that are created by my oauth clients on behalf of a user. These "bot" tokens need to have some metadata (who created it, when it was created, etc.). Today this would require me to maintain a map of token -> metadata which means (1) I have duplication of the token and (2) I'm having to store it in a few places.
Describe the solution you'd like
Simply I'd like to be able to define
claimsfor an access token minted through the clientcredential flow. This would enable my use-case as well as others (e.g. #1221).Describe alternatives you've considered
As it stands today I don't use hydra/oauth for this, as it would require me to effectively duplicate al the token data.
The text was updated successfully, but these errors were encountered: