Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Different behavior between MITREid / Hydra #2141

Closed
monwolf opened this issue Oct 21, 2020 · 3 comments
Closed

Different behavior between MITREid / Hydra #2141

monwolf opened this issue Oct 21, 2020 · 3 comments

Comments

@monwolf
Copy link
Contributor

monwolf commented Oct 21, 2020

Hi,

Currently, we have implemented the MITREid Connect implemented on our microservice platform generating JWT for authenticating the connection between the microservices.

For performance issues, we would like to replace our solution for Hydra it seems to work smoothly under big workloads.

After digging a little bit we found 2 main differences in the response:

  • The claim scope is changed by scp in ory/Hydra this is not a big deal we need to adjust a little bit our middleware

  • If the request doesn't contain any scope, you receive an empty list of scp in the response, while in MITREid Connect you get the full list of scopes assigned. Is there any way to get the full list without having to specify it?

Thanks for your effort!
@aeneasr
Copy link
Member

aeneasr commented Oct 21, 2020

The claim scope is changed by scp in ory/Hydra this is not a big deal we need to adjust a little bit our middleware

We recently merged a patch in ory/fosite which would allow changing this to scope!

If the request doesn't contain any scope, you receive an empty list of scp in the response, while in MITREid Connect you get the full list of scopes assigned. Is there any way to get the full list without having to specify it?

Depends, if you are not talking about client_credentials grant, you can choose the scope freely during the consent step. For client_credentials grants I am not sure if that's possible at the moment, but there have been ideas around supporting JsonNet transformation #1748 !

@monwolf
Copy link
Contributor Author

monwolf commented Oct 21, 2020

Hi @aeneasr,

Thanks for your response :)

Regarding the first point do you have the commit/issue id to check it?

In the other point, we are talking about client_credentials. I think for our use case adding jsonnet is like trying to use a sledgehammer to crack nuts, for me the best solution would be to add a config param (general o per client) allowing to choose the behavior.

Thanks!

This was referenced Oct 22, 2020
Closed
Merged
@aeneasr
Copy link
Member

aeneasr commented Oct 25, 2020

In the other point, we are talking about client_credentials. I think for our use case adding jsonnet is like trying to use a sledgehammer to crack nuts, for me the best solution would be to add a config param (general o per client) allowing to choose the behavior.

Haha - makes sense!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@monwolf @aeneasr