Scope field is empty in Token Response #5753
Comments
|
Did you add scopes to your resource |
|
|
darcyYe
added
pending-verification
|
BTW from what I can read from the context you've provided, this is not a bug, removed the "bug" tag. Feel free to bring it back with more context. |
Do I need to do this for openid scopes as well?
The thing is, they are add to the token in case of opaque access_token, even if ID Token is present, but when jwt is generated, the field is an empty string like the example above |
Example Opaque TokenHere both resource & openid scope are sent. Auth RequestAuth ResponseToken RequestToken Response |
|
Could you please attach your SDK config? You need to add your resource and scope in the SDK config. |
|
Im not using any official SDK, developing in expo import * as React from 'react';
import { Button, Text, View } from 'react-native';
import * as AuthSession from 'expo-auth-session';
import * as WebBrowser from 'expo-web-browser';
WebBrowser.maybeCompleteAuthSession();
const redirectUri = AuthSession.makeRedirectUri();
const CLIENT_ID = 'gthwi145jrqgqw7itehxz';
const SCOPES: string[] = [
'openid',
'profile',
'email',
'offline_access',
];
export default function Auth() {
const [token, setToken] = React.useState<any>();
const discovery = AuthSession.useAutoDiscovery('http://localhost:3001/oidc');
// Create and load an auth request
const [request, result, promptAsync] = AuthSession.useAuthRequest(
{
usePKCE: true,
codeChallengeMethod: AuthSession.CodeChallengeMethod.S256,
clientId: CLIENT_ID,
redirectUri,
scopes: SCOPES,
prompt: AuthSession.Prompt.Consent,
extraParams: {
resource: 'https://api.mevris.app'
}
},
discovery
);
const handleResponse = React.useCallback(
async () => {
if (result?.type !== 'success' || result.params.error) {
console.log('Something went wrong');
return;
}
const tokenResult = await AuthSession.exchangeCodeAsync(
{
scopes: SCOPES,
code: result.params.code,
clientId: CLIENT_ID,
redirectUri,
extraParams: {
code_verifier: request?.codeVerifier ? request.codeVerifier : ''
}
},
discovery as any
);
setToken(JSON.parse(JSON.stringify(tokenResult)));
},
[request, result, discovery]
);
return (
<View style={{ flex: 1, justifyContent: 'center', alignItems: 'center' }}>
<Text>AuthSession Example</Text>
<Text>Redirect URI: {redirectUri}</Text>
<Text>Client ID: {CLIENT_ID}</Text>
<Text>Scopes: {SCOPES.join(', ')}</Text>
<View style={{ height: 20 }} />
<Button title="Login!" disabled={!request} onPress={() => promptAsync()} />
{result && <Text style={{width: '90%'}}>{JSON.stringify(result, null, 2)}</Text>}
<Button title="Get Token" disabled={result?.type !== 'success'} onPress={() => handleResponse()} />
{token && <Text style={{width: '90%'}}>{JSON.stringify(token, null, 2)}</Text>}
</View>
);
} |
|
You should add your scopes to |
|
Im not using any custom scopes, intend to use only standard openid scopes for now. Problem is, event they're missing in the token response |
|
|
|
Should they also not show here (response from first example): Notice Also, no ID Token issued here. |
|
|
|
token request with |
|
Im expecting, Please guide, when I have the following response, which I am getting in my use case, how do I check scopes. Moreover in the JWT there are no profile or email claims. My requirement is very simple, I want to generate a JWT token (not an opaque token), that has the required claims (profile, email, etc). Our system was desinged on keycloak, and we had claims in the access token. We are trying to replicate the same here, to migrate to Logto |
|
I think you're mixing up the concepts of OIDC scopes and API resource scopes. The scopes you mentioned (openid, profile, offline_access, etc.) are OIDC scopes, which are primarily focused on user authentication and providing identity-related information. The consumer of these scopes is the OIDC auth server, not your own API server. API resource scopes are focused on controlling access to specific functionalities or data within an API, and this is what you really want in your access tokens. You can only define these scopes in an "API resource". Simply go to "Logto console -> API resources" and create an API resource first, then create your scopes under the context of your API resource. Your backend service should check these scopes rather than the OIDC scopes. Moreover, The "opaque" token you obtained earlier is the one that used to fetch user information from the |
Anyway I can achieve this? |
|
Why do you need these claims in a JWT token when fetching userinfo, though? These information is returned from the JWT is for "offline verification" purpose, usually used when requesting from client to server, or a 3rd-party API service. In these scenarios, you'll have to provide a JWT format token, so that the receiver can check if it is valid and you have proper scopes for the requesting resource even if the token is not issued by themselves. |
|
I'm not sure what SDK you are using, but let me explain it with the React SDK. You need to provide these scopes through Then whenever you call |
|
This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
Describe the bug
While authenticating user, the token response has empty scope. I would like to get the JWT access token, and as per the docs I am sending API resource param (which is the default api resource as well) without
openidscope.If I send
openidscope (along with the resource param), then the scope property has the required scopes but the access_token is an opaque token and not a JWT.Expected behavior
Token response should have JWT access_token and scope field filled with required scopes.
How to reproduce?
Auth Request
Auth Response
Token Request
Token Response
The text was updated successfully, but these errors were encountered: