1

I am working on an identity and users service in a microservices system for which a passwordless, SMS-based authentication is a hard requirement, i.e.

  1. User enters their phone number
  2. System sends the OTP via SMS
  3. User enters their OTP
  4. Registered users are given a JWT and allowed into the system, unregistered users are forced to register first

No username/email and password combination is used for security, only for profile details later in the registration process.

My own research yields these implementation options:

  1. Return a response status code based on which the client apps can act (e.g. 401 if OTP is incorrect, 403 if not registered and 200 with JWT otherwise)
  2. Return state in a response body information (e.g. a boolean field or custom response code/message), with JWT upon successful registration
  3. Return a JWT upon successful authentication, but vary the state of the JWT token itself, and control access accordingly (e.g. providing different scope claim for unregistered and registered users)

I am leaning towards option 3, although it seems that the scope claim is mainly used for delegated access.

Any help would be appreciated, be it an informed opinion on the three options, or another suggestion altogether.

Improve this question
0

1 Answer 1

Reset to default
3

A scope is meant to communicate that a certain collection of claims are available in the JWT. For example, the profile scope could represent that a person's name, e-mail address, user Id, etc., are included as claims. Curity.io actually has a pretty good comparison of scopes and claims.

Instead of a scope, I would pass a specific claim indicating they are registered or unregistered. This could be as simple as a user Id or registration date claim. There are only a few standard claims in the JWT spec — iss (issuer), sub (subject), aud (Audience), and exp (Expiration Time). You can use public claims or private claims to capture the user Id or registration date, with the absence of those claims being interpreted as "unregistered". Block access accordingly.

Improve this answer
1
  • 1
    While claims are related to scopes, 'scope' is primarily the, well, scope of the access. As the article you site states: "Scopes enable security boundaries, and they group claims." I would say boundaries are the primary need for scopes and the grouping of claims really just follows from that. Commented Nov 25 at 19:21

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.