Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: more rop claims #1934

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

feat: more rop claims #1934

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ca8d93b
feat: more rop claims
hperl Oct 29, 2024
2a4a7d2
review comments
hperl Nov 5, 2024
6eedb4d
change to active voice
hperl Nov 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions docs/oauth2-oidc/resource-owner-password-grant.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,3 +48,43 @@
Client->>User: Use access token
`} />
```

## Token introspection and acces token claims
hperl marked this conversation as resolved.
Show resolved Hide resolved

The access token that is issued can be introspected using the OAuth 2.0 Token Introspection endpoint. The following claims
returned from the introspection endpoint, and part of the access token if the config paramter `strategies.access_token` is set to

Check warning on line 55 in docs/oauth2-oidc/resource-owner-password-grant.mdx

View workflow job for this annotation

GitHub Actions / misspell

[misspell] docs/oauth2-oidc/resource-owner-password-grant.mdx#L55 

"paramter" is a misspelling of "parameter"
Raw output 
./docs/oauth2-oidc/resource-owner-password-grant.mdx:55:85: "paramter" is a misspelling of "parameter"
hperl marked this conversation as resolved.
Show resolved Hide resolved
hperl marked this conversation as resolved.
Show resolved Hide resolved
`jwt`:

- `sub`: The Ory Network identity ID of the user.
- `client_id`: The ID of the OAuth 2.0 client.
- `scope`: The scope of the token, as configured by the client and requested in the token request.
- `aud`: The audience of the token, as configured by the client.
- `iss`: The issuer of the token, the URL of the Ory Network instance.
- `ext.username`: The username of the user, as passed in the token request.

An example of the body returned from the introspection endpoint:

```json
{
"active": true,
"scope": "offline",
"client_id": "70d417fc-2aea-4830-b247-f140a9c4bae1",
"sub": "70d417fc-2aea-4901-4830-f140a9c412f7",
"exp": 1730210703,
"iat": 1730207103,
"nbf": 1730207103,
"username": "ory-username",
"aud": ["https://aud.example.com"],
"iss": "https://issuer.example.com",
"token_type": "Bearer",
"token_use": "access_token",
"ext": {
"username": "ory-username"
}
}
```

### Customizing the claims

The claims in the access token and introspection data can be further customized using a
[token hook](/hydra/guides/oauth2-webhooks.mdx).
Loading