WSO2 Changelog

Configurable JSON Array Format for JWT Access Token Scopes

Integrating Asgardeo with existing systems just got easier. While standard OAuth 2.0 JWT access tokens format scopes as a single, space-separated string (e.g., "scope": "read write"), some applications and downstream services (especially legacy apps or those integrated with other IdPs) strictly require scopes to be passed as a JSON array (e.g., "scope": ["read", "write"]).

To eliminate integration hurdles and custom workarounds, Asgardeo now supports configurable scope claim formats. This configuration can be applied at two levels:

• Application Level: Configure the array format for a specific application to ensure seamless compatibility with downstream services.
• Organization Level: Apply the array format globally to standardize the token structure for all applications across the organization.

(Note: Application-level configurations take precedence over organization-level settings when determining the JWT scope format for a specific application)

Documentation: 

OIDC Configuration 

• https://wso2.com/asgardeo/docs/references/app-settings/oidc-settings-for-app/#access-token

Application Management API

• https://wso2.com/asgardeo/docs/apis/application-management/#tag/Applications/operation/createApplication
• https://wso2.com/asgardeo/docs/apis/application-management/#tag/Inbound-Protocols-OAuth-OIDC/operation/updateInboundOAuthConfiguration

Sub org Application Management API

• https://wso2.com/asgardeo/docs/apis/organization-apis/organization-application-mgt/#tag/Applications/operation/createApplication
• https://wso2.com/asgardeo/docs/apis/organization-apis/organization-application-mgt/#tag/Inbound-Protocols-OAuth-OIDC/operation/updateInboundOAuthConfiguration