[mitreid-connect] Access Token & Scope

Justin Richer jricher at mit.edu
Sun Jan 4 18:32:59 EST 2015 

It's a tradeoff consideration: on the one hand, you can pack more 
information into the token itself and have it be fairly self-contained 
(apart from revocation status), but then you have a big token and your 
protected resources need to understand this structure to get the 
information out. Also, unless you're also encrypting things, you're 
leaking information to the clients that carry the tokens. On the other 
hand, you can pack the bare information into the token (like an 
identifier) and have everything available from a network call 
(introspection). This lets you have very small tokens (given the limits 
of entropy for security sake) but it requires more network access from 
the protected resources. You can of course cache things, and most 
protected resources are going to have pretty fast access to their 
authorization server in most deployments.

But in the end, it's a balance and a trade-off. With MITREid Connect, we 
decided to allow for both, as you've discovered. We decided to not put 
scopes into the token itself in order to keep the size down and to keep 
information from leaking to the client. For the same reason, we don't 
put the user id in it either. That logic is all defined in a pluggable 
service:

https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/f974f9513854a72adb8bc1d38cd0dfd13fc02965/openid-connect-server/src/main/java/org/mitre/openid/connect/token/ConnectTokenEnhancer.java

Which means that it can be overridden and replaced with local 
functionality. It might make sense to have this be a configurable 
option: which claims to include inside the access token. If that would 
work, please file an issue on GitHub to track it, and we would welcome a 
pull request to add that functionality.

  -- Justin

On 1/4/2015 4:47 PM, Yannick Béot wrote:
> Hi,
>
> Access tokens generated by MITREid Connect and transmitted to the 
> client are JWT tokens but do not contain scopes.
> Therefore, resource server has to call the introspect URL to fetch the 
> scope.
>
> Since MITREid is using signed JWT, the resource server can verify the 
> access token.
> So why not include the scopes?
>
> Do you declare in MITREid Connect the client application and the 
> resource server, the client application with no introspection right, 
> the resource server with introspection?
>
> Best regards,
>
> Yannick Béot
>
>
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150104/606b0b58/attachment.htm

More information about the mitreid-connect mailing list