TokenIntrospectionSuccessResponse should support parsing scopes presented as JSONArray

Comments (3)

1. 

   Yavor Vasilev

   • changed status to open

   Hi Gerardo!

   Where does this code come fron NimbusOpaqueTokenIntrospector#convertClaimsSet?

   It's not part of this SDK.

   • 2019-10-24T11:00:29+00:00
2. 

   Gerardo Roza reporter

   Sorry Yavor, I first thought that was part of this library too, because of its name.

   The NimbusOpaqueTokenIntrospector is a Spring Security class (particularly, it is part of the spring-security-oauth2-resource-server artifact) that uses classes from this library:

   https://github.com/spring-projects/spring-security/blob/82ae4db4ccc1bc0fc38556d1c6f6e30bf6695f42/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospector.java#L227

   I also created an issue in the Spring Security repo (#7563), and they made me realize that the specs actually dictate that scope is expected to be a space-delimited string (here).

   So, I think the bottom line here is “we’re ok, we’re respecting the specifications, but do we want to also support the ‘scope’ value as an array of strings?” (of course, we’re separating the scopes anyway at some point, so receiving it as an array at the beginning of the process might not be that bad IMO)

   • 2019-10-25T13:29:16+00:00
3. 

   Yavor Vasilev

   • changed status to invalid

   According to the token introspection RFC, the scope is a space separated string:

   https://tools.ietf.org/html/rfc7662#section-2.2

   The Scope class has helper methods to get the individual values:

   https://www.javadoc.io/doc/com.nimbusds/oauth2-oidc-sdk/6.17/com/nimbusds/oauth2/sdk/Scope.html

   • 2019-10-26T19:27:46+00:00
4. Log in to comment