[OPENAM-8440] Pluggable OAuth2 Access Token Format Created: 25/Feb/16 Updated: 22/Nov/18 Resolved: 22/Nov/18
|Affects Version/s:||13.0.0, 13.5.0, 13.5.1, 14.0.0, 14.1.0, 14.1.1, 14.5.0, 14.5.1, 5.5.1|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Epic Link:||OAuth 2.0 Improvements|
|Support Ticket IDs:|
The current OAuth2 access_token is not pluggable - it's a stateful proprietary opaque token type.
Ideally the access_token format should be pluggable based on implementation. For example, the ability to leverage a JWT format, with an additional scriptable component to control attributes within the JWT similar to the scriptable OIDC id_token.
|Comment by Andy Hall [ 07/Apr/16 ]|
Simon Moffatt We plan to offer a stateful or stateless OAuth token based on realm config.
Can you provide an example use case for wanting this pluggable format too?
|Comment by Miguel Fernandez [X] (Inactive) [ 09/Jan/17 ]|
I am using stateless OAuth2 access tokens (JWT encoded) as they were included in OpenAM 13.5. This is working for me.
However, I miss the ability to leverage the JWT format that @SimonMoffatt mentioned allowing a scriptable component to control which attributes to include inside the JWT token (in the payload section) - similar to the scriptable OIDC id_token. Has there been any progress in this regard?
The use case scenario is that we need to add additional attributes in the payload section of the JWT token (for my current scenario could be a set of attributes for someone else any other). The reason is that with OAuth2 you only have 1 token (an access token), not an access token + an additional identity token (like OIDC).
For instance, the decoded "payload" section of the example JWT message would look like this including the "ROLES" attribute:
In summary, customizing the JWT payload for OAuth2 stateless tokens is necessary for those systems that use plain OAuth2 (with only an access token), not OIDC.
The issue seems a bit old, from last April. Has there been any progress in this direction?
Thanks and Regards,
|Comment by Miguel Fernandez [X] (Inactive) [ 12/Jan/17 ]|
There is another JIRA issue opened related to some posible improvements for OAuth2 stateless (JWT) tokens here:
I wanted to related them if you want to consider all the proposed improvements together but I was not able to do it.
Thanks and Regards,
|Comment by Bernhard Thalmayr [ 23/Apr/18 ]|
This is needed for all kind of use cases.
|Comment by Andy Hall [ 22/Nov/18 ]|