Spontaneous Scopes in Update Tokens Script

[tawaren]

In our use case prototype, we amongst other things, dynamically bind the lifetime of tokens based on the scopes. The scope represents access levels. For the initial test, we had a few fixed levels (1-3), each having a separate scope, which worked without problems. However, in the end we need a more fine granular approach, like levels from 1-100. Instead of having 100 scopes, we consider using a spontaneous scope. This worked well except for setting the lifetime over an UpdateToken script, as the spontaneous scope does not appear in context.getGrant().getScopes() - Is there an alternative way to get this scope or are spontaneous scopes and UpdateToken scripts incompatible?

[ossdhaval]

I would request @yuriyz to comment on this.

[yuriyz]

It should appear if globally and on client level it is properly configured.

Global AS config

• allowSpontaneousScopes - should be set to true

Client level config should have :

• allowSpontaneousScopes - set to true
• correct spontaneousScopes should be set, which matches requested scope

https://docs.jans.io/v1.0.21/admin/auth-server/scopes/#spontaneous-scopes

[tawaren]

Looking at the request-response revealed that the following line seems not to work:

RegisterRequest request = context.getRegisterRequest();
request.setAllowSpontaneousScopes(true);

The response still reads: "allow_spontaneous_scopes": false

The scope setting line seems to work:
request.getSpontaneousScopes().add(scope);
The response reads: "spontaneous_scopes": ["^access:\d+$"]

Files:
RegisterInteraction.txt
jans-auth.log

P.s: Thanks for the quick help, I appreciate it and choosing Janssen over Keycloak proved to be the right decission

[yuriyz]

In request there is no allow_spontaneous_scopes set.
Request should be

Request:
{
	"application_type":"web",
	"scope":"openid email profile",
	"redirect_uris":["https:\/\/client1.interreg.test.org\/auth_callback"],
	"response_types":["code"],
        "allow_spontaneous_scopes": true,
        "spontaneous_scopes": ["^access:\d+$"]
}

Did I get it correctly that wrong request is constructed by RegisterRequest?

RegisterRequest request = context.getRegisterRequest();
request.setAllowSpontaneousScopes(true);

Ask because I see parameter applied in latest source code

jans/jans-auth-server/client/src/main/java/io/jans/as/client/RegisterRequest.java

Line 2157 in 3be7305

function.apply(ALLOW_SPONTANEOUS_SCOPES.toString(), allowSpontaneousScopes.toString());

[tawaren]

Sorry if it was not clear, but the following code snippet is part of a dynamic client registration script:

RegisterRequest request = context.getRegisterRequest();
request.setAllowSpontaneousScopes(true);

If I set "allow_spontaneous_scopes": true manually in the Request, it works, but I would prefer it when that is set in the client registration script, such as all dynamically registered clients have it, and that's the part that currently does not work.

[yuriyz]

I see, context.getClient() returns server side constructed object. You can change any value there including allowSpontaneousScopes.

Like this: context.getClient().getAttributes().setAllowSpontaneousScopes(true);