Scopes specified when creating clients are missing in access token

[ksmets]

I'm playing around with creating clients with oauth2 scopes.

I expected the scopes that you specify when creating a client would be present when generating the access token. However this is not the case.

I created the client as follows:

$ docker-compose -f quickstart.yml exec hydra \
    hydra clients create \
    --endpoint http://127.0.0.1:4445/ \
    --id my-client \
    --secret secret \
    --grant-types client_credentials \
    --scope openid,offline,photos.read

Generate the access token as follows:

$ docker-compose -f quickstart.yml exec hydra \
    hydra token client \
    --endpoint http://127.0.0.1:4444/ \
    --client-id my-client \
    --client-secret secret

When I introspect the opague token, the scope is missing.

{
	"active": true,
	"aud": [],
	"client_id": "my-client",
	"exp": 1634548581,
	"iat": 1634544981,
	"iss": "http://127.0.0.1:4444/",
	"nbf": 1634544981,
	"sub": "my-client",
	"token_type": "Bearer",
	"token_use": "access_token"
}

When creating the access token with scopes passed along, scopes are present as expected.

$ docker-compose -f quickstart.yml exec hydra \
    hydra token client \
    --endpoint http://127.0.0.1:4444/ \
    --client-id my-client \
    --client-secret secret
    --scope openid,offline,photos.read

{
	"active": true,
	"aud": [],
	"client_id": "my-client",
	"exp": 1634548635,
	"iat": 1634545035,
	"iss": "http://127.0.0.1:4444/",
	"nbf": 1634545035,
	"scope": "openid offline photos.read",
	"sub": "my-client",
	"token_type": "Bearer",
	"token_use": "access_token"
}

Is this by design? Or should I open an issue ticket?

Thx!

[gi-wg2]

Your client will include which scopes are allowed.

You need to include the scopes you want when you do your client credentials flow, which then of course needs to be from the list of allowed ones.

[ksmets]

So this is different from the scopes/permissions in auth0 machine to machine applications?

There the scopes granted when creating machine to machine applications are present even without specifying them when creating the token.

[aeneasr]

You can change this behavior using a config flag - check the bottom section of https://www.ory.sh/hydra/docs/guides/migrating-from-mitreid/ :)

[ksmets]

Thx. Exactly what I was looking for.

[sezanzeb]

Since Ory uses scp as the scope claim, you have to be sure your client libraries are capable to use both.

Why is that? The standard seems to call this "scope" https://www.rfc-editor.org/rfc/rfc9068

Can this be changed via configuration?

[sezanzeb]

Found the reasoning: ory/fosite#362 (comment), but I can't tell how this is configurable now.