Scopes not validated as expected

[mmaedler]

Describe what are you trying to do I am implementing a POC based on Krakend showcasing machine-to-machine communication. For that I use Auth0's client credentials flow to obtain a JWT for my client to be able to authorize and to consume apis behind krakend.

Since one requirement is that we have multiple consumers with different permissions I want to use the scopes feature to handle and validate those.

Your configuration file

 {
      "endpoint": "/product-proxied",
      "method": "GET",
      "output_encoding": "no-op",
      "extra_config": {
        "github.com/devopsfaith/krakend-jose/validator": {
          "alg": "RS256",
          "audience": ["http://localhost:8080"],
          "jwk-url": "https://tenantname.eu.auth0.com/.well-known/jwks.json",
          "scope_key": "scope",
          "scopes": ["test:scope"]
        }
      },

The resulting JWT has the following scopes set:

"scope": "product:list:read product:item:read",

Therefore I would expect the request to be terminated at the gateway with a HTTP403. However, that isn't the case — the request gets forwarded to my backend and response is returned.

I am doing something wrong here?

[kpacha]

@mmaedler notice the key scope_key has a typo. the correct key is scopes_key. so, since the component is not informed of the name of the claim containing the scopes, it doesn't validate the scopes

https://www.krakend.io/docs/authorization/jwt-validation/#jwt-validation-settings

[mmaedler]

D'oh. Thank you so much. Guess what: now it works. Sorry for bothering.

[github-actions[bot]]

This issue was marked as resolved a long time ago and now has been automatically locked as there has not been any recent activity after it. You can still open a new issue and reference this link.