Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

JWT-grant as a new Oauth2 flow

See original GitHub issue

RFC7523 extends Oauth2 by using JWTs as grants.

It would be nice if this behaviour could be added as a new type of flow under the Oauth2 securityScheme, in addition to existing ones (authorizationCode, implicit, etc.)

The full name in the RFC is urn:ietf:params:oauth:grant-type:jwt-bearer, but I guess JWT will suffice. Apart from that, the tokenUrl and scopes would be needed.

Issue Analytics

State:
Created 4 years ago
Reactions:4
Comments:6 (3 by maintainers)

Top GitHub Comments

2reactions

ioggstreamcommented, Mar 11, 2021

Any news on that?

0reactions

ioggstreamcommented, Feb 1, 2022

@darrelmiller like @johakoch wrote, using JWTs for Client Authentication can already be expressed as such, though the OAS spec does not contain all the required information to retrieve the token. For example, we need to specity client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer and the JWT schema, in terms of the specific required claims/header-parameters.

Currently all those information are usually in description but it would be great to have a way to specify them.

    OAuth2:
      type: oauth2
      flows:
        clientCredentials:  # <- iiuc it's either  clientCredential or authorizationCode(PKCE)
          tokenUrl: https://pdnd.gov.it/as/token
          description: |-
            client_assertion_type: ...
            client_assertion format
          scopes:
            write:pets: modify pets in your account
            read:pets: read your pets

To support instead JWT as Authorization Grant, it is probably required to register new keywords.