Oauth2 client credential grant scope validation

Question

we are trying to setup Oauth2 client credential grant for securing our APIs deployed on k8s. Currently

1. we are using Ory Hydra as the authorization server issuing access token to the client
2. nginx as our ingress controller, for each API we use auth-url annotation to direct the request to a custom component
3. the custom component basically retrieves the jwt token and validates it.

The question is more on this custom component which has the validation logic:

1. we want to use scope to do the authorization, but where should I keep the mapping between scope and upstream api? currently we are just using a context path for it. e.g if api-a has context path api-a, the client will be requesting token with scope api-a, then we validate if the X-Original-Url prefix with issuer+scope. This does not seem like a flexible way, just wondering normally where would this mapping is kept?

2. since I am using jwt token as the access token, does this mean I don't need to call authorization server with introspect anymore? since I can validate the validity of the jwt token locally?

Answer 1

Q1

It is possible to check scopes in the ingress but this can have deployment issues, eg frequently having to reconfigure or redeploy the ingress when API logic changes.

The most flexible option is to forward the JWT to each upstream API, so that they can apply both coarse-grained authorization using OAuth token scopes, and finer-grained authorization using OAuth token claims.

For example, this provides a setup where, if APIs are coded correctly, the OWASP number 1 API vulnerability, of broken object level authorization, is avoided.

Q2

You don't need to introspect JWTs. Introspection is used with opaque access tokens, whose role is usually to prevent disclosing sensitive access token data to internet clients.