Support "scope" claim as a string in jwt authenticator

[stszap]

We want to use oathkeeper to validate jwt generated by auth0 but it seems that "required_scope" option for jwt authenticator only works when "scope" claim is encoded as json array. Meanwhile rfc mentions

a list of space-delimited, case-sensitive strings

and some identity providers (including auth0) use that format with no option to switch it to an array.

For example, a rule

...
"authenticators": [{
  "handler": "jwt",
  "config": {
    "target_audience": ["..."],
    "required_scope": ["read:reports"],
    "allowed_algorithms": ["RS256"]
   }
}]
...

checked against token with claims

{
    "aud": "...",
    "azp": "...",
    "exp": 1542289232,
    "gty": "client-credentials",
    "iat": 1542202832,
    "iss": "...",
    "scope": "read:reports",
    "sub": "..."
}

gives an error

{
    "error": {
        "code": 403,
        "message": "Access credentials are not sufficient to access this resource",
        "reason": "Token is missing required scope read:reports.",
        "request": "00460c98dd6af2efbfceac7a3d133a1f",
        "status": "Forbidden"
    }
}

Proposed changes

I added some code to convert "scope" claim to a an array of interfaces if it's a string and added a test for it.

Checklist

• [x ] I have read the contributing guidelines
• [x ] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security
  vulnerability, I confirm that I got green light (please contact [email protected]) from the maintainers to push the changes.
• I signed the Developer's Certificate of Origin
  by signing my commit(s). You can amend your signature to the most recent commit by using git commit --amend -s. If you
  amend the commit, you might need to force push using git push --force HEAD:<branch>. Please be very careful when using
  force push.
• [ x] I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation within the code base (if appropriate)
• I have documented my changes in the developer guide (if appropriate)

[gansbrest]

That's exactly what we need as well! Our scopes are space separated and it's blocking us from using oathkeeper as a validator layer.. Hope it will be merged soon. Great job!

[aeneasr]

This looks good! Could you please sign your commit as shown in the contribution guidelines? The easiest would be git commit --amend -s && git push ..... You will need to force-push here, so make sure it's the right branch.

[stszap]

Ok, I signed it.

[aeneasr]

Sorry, one more thing - could you please create a PR here and add a quick paragraph on this? I know that there is nothing about the layout of the JWT but this is the perfect setting to add that, and it would probably save the next person looking at this some time! Then it's really good to get merged :)

[stszap]

Sure, here it is https://github.com/ory/docs/pull/73/files

[aeneasr]

Thank you for your contribution!