Replies: 1 comment 1 reply
-
|
Good question. Can you share how you requested the token exchange? CC @livio-a @muhlemmer what is your take on the rfc? |
Beta Was this translation helpful? Give feedback.
-
|
Access tokens should have the scope claim. This might be a bug. However, don't confuse access tokens with ID tokens. ID Tokens are also JWTs, but do not have the scope claim. Only an access token, configured in zitadel as JWT (and not opaque) will have the scope claim. For opaque access tokens, the scope claim can be obtained on the introspection endpoint only. It would be good to know what was requested during the Note that the Token Exchange grant does not force a minimal set of scopes, as we do with OpenID Code flow for example. This means you can effectively request tokens without scope and then end up without the scope claim in the resulting token. |
Beta Was this translation helpful? Give feedback.
-
According to RFC8693 4.2 the "scope" claim is supposed to be returned in the JWT Claims set, however Zitadel does not seem to return this. I verified this using jwt.io and found it missing in my JWT token. I am trying to use an AWS API Gateway with the JWT Authorizer access to a backend API, but this to returns back an error for missing "scope". (The token must include at least one of the scopes in the route's authorizationScopes).
Has anyone gotten the AWS JWT Authorizer to work with Zitadel JWT tokens?
Beta Was this translation helpful? Give feedback.
All reactions