Upp2 msg signing and scopes

[issmith1]

We see 'scope' in JwtClaimsSet as a list size2.
We also see the Token request scope and the token response scope.

Archit- pls see new Roles definitions as discussed. Your famous pictures are now in readme.

[arkits]

Code-gen is happy with the updated nup-roles.yml

[arkits]

Just thinking out loud - how would a request for multiple scopes look like? Considering that you can't have arrays in URL query params the request would be scope strings joint with ',' -

/token?scope=example.a.read,example.b.read&...

Would be handy to explicitly state in the spec.

[issmith1]

@arkits Not sure I understand your question. The datatype for request scope is a string with space separated scopes. Thus URL encoding for spaces would be employed. Here 'scope=a b'

curl --request POST 'https://gcatipoc.auth.us-east-1.amazoncognito.com/oauth2/token?scope=a%20b&grant_type=client_credentials'

[nasajoey]

I am confused and concerned with this conversation. I hope I am not misunderstanding, so please correct me if I am wrong as it has been a while since I've thought about these details.

The /token endpoint doesn't take query parameters. It takes an HTTP body of type form-urlencoded. This is important, because it is this body that gets signed for authentication purposes.

So, to me it seems both of you are mis-stating the approach. There are no query params to discuss.

However, in the HTTP body in form-urlencoded format, we would sort of use what Irene mentions. A space between multiple scopes, with that whole string of scopes enclosed in quotes.

This would be a valid HTTP body (I think, please sanity check):

grant_type="client_credentials"&scopes="scope-a scope-b"&client_id="my_id"&current_timestamp-"2020-06-11T03:13:31.485Z"

And it is exactly that string that is signed for the authn part.

[issmith1]

@nasajoey yeah i was not thinking about the context.