hydra
hydra copied to clipboard
ory
Bundle request parameters into access token in "client_credentials" flow
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [ ] This issue affects my Ory Cloud project.
- [ ] I have joined the Ory Community Slack.
- [ ] I am signed up to the Ory Security Patch Newsletter.
Describe your problem
I am looking into "client_credentials" flow and ways to limit the validity of access token to only certain contexts. The context cannot be sufficiently described by scopes, audiences, etc. It seems to me that the only solution is to let client dynamically add claims (which describe the context) to access token. From the protocol prospective, looking at https://datatracker.ietf.org/doc/html/rfc6749#section-8.2, it seems to be permissible - client could add extra parameters to request, and the server would add them to access token. Server configuration would need to have a list of valid request parameters that can go into access token, for sanitizing requests. Does this make sense to you?
Describe your ideal solution
Let hydra take agreed upon request parameters, per https://datatracker.ietf.org/doc/html/rfc6749#section-8.2, and add them to access token. Server configuration would have a list of allowed request parameters that can go into access token, for sanitizing requests.
Workarounds or alternatives
I cannot think of any.
Version
master
Additional Context
This seems to be closely related to https://github.com/ory/hydra/issues/1748.
