Closed issmith1 closed 4 years ago
Code-gen is happy with the updated nup-roles.yml
Just thinking out loud - how would a request for multiple scopes look like? Considering that you can't have arrays in URL query params the request would be scope strings joint with ',' -
/token?scope=example.a.read,example.b.read&...
Would be handy to explicitly state in the spec.
@arkits Not sure I understand your question. The datatype for request scope is a string with space separated scopes. Thus URL encoding for spaces would be employed. Here 'scope=a b'
curl --request POST 'https://gcatipoc.auth.us-east-1.amazoncognito.com/oauth2/token?scope=a%20b&grant_type=client_credentials'
I am confused and concerned with this conversation. I hope I am not misunderstanding, so please correct me if I am wrong as it has been a while since I've thought about these details.
The /token endpoint doesn't take query parameters. It takes an HTTP body of type form-urlencoded. This is important, because it is this body that gets signed for authentication purposes.
So, to me it seems both of you are mis-stating the approach. There are no query params to discuss.
However, in the HTTP body in form-urlencoded format, we would sort of use what Irene mentions. A space between multiple scopes, with that whole string of scopes enclosed in quotes.
This would be a valid HTTP body (I think, please sanity check):
grant_type="client_credentials"&scopes="scope-a scope-b"&client_id="my_id"¤t_timestamp-"2020-06-11T03:13:31.485Z"
And it is exactly that string that is signed for the authn part.
@nasajoey yeah i was not thinking about the context.
We see 'scope' in JwtClaimsSet as a list size2.
We also see the Token request scope and the token response scope.
Archit- pls see new Roles definitions as discussed. Your famous pictures are now in readme.