[BC Idea]: Get the claims from a SecretText JWT Token #2296
Assignees
Labels
BCIdea
Issue related to a BCIdea
Comments
|
@WaelAbuSeada / @darjoo, is this justifiable from a security perspective? Please triage. |
|
@WaelAbuSeada / @darjoo, I can create a draft PR for this if you want to see the implementation approach before making a decision on this? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
BC Idea Link
https://experience.dynamics.com/ideas/idea/?ideaid=e565077f-7b98-ef11-95f5-7c1e526e605f
Description
When troubleshooting OAuth and trying to figure out why an AccessToken is not being accepted by the resource you are trying to use it on, we have earlier been able to get the AccessToken in plain text and put it into jwt.ms (or any other similar tool) to parse the token and look into all the claims (see https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims for more information).
Looking at the claims often explains why it does not work, like missing scopes, new configuration not in effect yet (things get cached a lot nowadays), etc.
With the switch to SecretText in the Oath2 module, we cannot get the AccessToken in plain text. Hence, we cannot parse the AccessToken to get the claims. :(
I suggest a new function in the OAuth2 module that has the AccessToken (SecretText) as parameter and returns the claims as a JsonObject.
On top of that we could also add new functions that returns common claims in an easier way, like expiration time (requested in https://experience.dynamics.com/ideas/idea/?ideaid=41f5d251-1a59-ee11-a81c-0022484c1d83).
I will provide the implementation for this BC Idea
The text was updated successfully, but these errors were encountered: