search

ePages-de / restdocs-api-spec

Adds API specification support to Spring REST Docs
MIT License
391 stars 103 forks source link

Incorrect way of getting scopes from OAuth2 JWT Token #217

Closed Kieun closed 1 year ago

Kieun commented 1 year ago

When getting OAuth2 scopes from JWT bearer token, the current implementation tries to get scope from the JWT payload and the scope value is considered as type of List<String>.

In accordance with Section 4.2 in RFC8693, the scope claim is defined as follows.

The value of the scope claim is a JSON string containing a space-separated list of scopes associated with the token, in the format described in Section 3.3 of [RFC6749]. Figure 7 illustrates the scope claim within a JWT Claims Set.

 {
   "aud":"https://consumer.example.com",
   "iss":"https://issuer.example.com",
   "exp":1443904177,
   "nbf":1443904077,
   "sub":"dgaf4mvfs75Fci_FL3heQA",
   "scope":"email profile phone address"
 }

Due to this reason, our generated OAS3 output fails to set correct security information.