Merge pull request #5889 from AfraHussaindeen/master_jwt-scope-array-doc

AfraHussaindeen · web-flow · commit 8339b5ea624d · 2026-02-13T10:26:39.000+05:30
[DOC] Add docs related to JWT access token scope format support
diff --git a/en/asgardeo/docs/apis/organization-apis/restapis/application.yaml b/en/asgardeo/docs/apis/organization-apis/restapis/application.yaml
@@ -1125,6 +1125,10 @@ components:
           type: boolean
           description: "If enabled, both access token and the token binding needs to be present for a successful API
           invocation."
+        enableJwtScopeAsArray:
+          type: boolean
+          description: "If enabled, the scope claim in JWT access tokens will be formatted as a JSON array instead of a space-separated string."
+          example: false
     RefreshTokenConfiguration:
       type: object
       properties:
diff --git a/en/asgardeo/docs/apis/organization-apis/restapis/org-application-mgt.yaml b/en/asgardeo/docs/apis/organization-apis/restapis/org-application-mgt.yaml
@@ -1927,6 +1927,10 @@ components:
           type: array
           items:
             type: string
+        enableJwtScopeAsArray:
+          type: boolean
+          description: "If enabled, the scope claim in JWT access tokens will be formatted as a JSON array instead of a space-separated string."
+          example: false
     RefreshTokenConfiguration:
       type: object
       properties:
diff --git a/en/asgardeo/docs/apis/restapis/application-management.yaml b/en/asgardeo/docs/apis/restapis/application-management.yaml
@@ -4714,6 +4714,10 @@ components:
         validateTokenBinding:
           type: boolean
           description: If enabled, both the access token and the token binding need to be present for a successful API invocation.
+        enableJwtScopeAsArray:
+          type: boolean
+          description: If enabled, the scope claim in JWT access tokens will be formatted as a JSON array instead of a space-separated string.
+          example: false
     RefreshTokenConfiguration:
       type: object
       properties:
diff --git a/en/identity-server/next/docs/apis/organization-apis/restapis/application.yaml b/en/identity-server/next/docs/apis/organization-apis/restapis/application.yaml
@@ -1120,6 +1120,10 @@ components:
           type: boolean
           description: "If enabled, both access token and the token binding needs to be present for a successful API
           invocation."
+        enableJwtScopeAsArray:
+          type: boolean
+          description: "If enabled, the scope claim in JWT access tokens will be formatted as a JSON array instead of a space-separated string."
+          example: false
     RefreshTokenConfiguration:
       type: object
       properties:
diff --git a/en/identity-server/next/docs/apis/organization-apis/restapis/org-application-mgt.yaml b/en/identity-server/next/docs/apis/organization-apis/restapis/org-application-mgt.yaml
@@ -2258,6 +2258,10 @@ components:
           type: array
           items:
             type: string
+        enableJwtScopeAsArray:
+          type: boolean
+          description: "If enabled, the scope claim in JWT access tokens will be formatted as a JSON array instead of a space-separated string."
+          example: false
     RefreshTokenConfiguration:
       type: object
       properties:
diff --git a/en/identity-server/next/docs/apis/restapis/application.yaml b/en/identity-server/next/docs/apis/restapis/application.yaml
@@ -5635,6 +5635,12 @@ components:
           type: array
           items:
             type: string
+        enableJwtScopeAsArray:
+          type: boolean
+          description: >
+            If enabled, the scope claim in JWT access tokens will be formatted as a JSON array
+            instead of a space-separated string.
+          example: false
     RefreshTokenConfiguration:
       type: object
       properties:
diff --git a/en/identity-server/next/docs/apis/restapis/configs.yaml b/en/identity-server/next/docs/apis/restapis/configs.yaml
@@ -1169,7 +1169,131 @@ paths:
             curl -X 'DELETE' \
             'https://localhost:9443/api/server/v1/configs/authentication/inbound/passivests' \
             -H 'accept: application/json' \
-            -H 'Authorization: Basic YWRtaW46YWRtaW4='   
+            -H 'Authorization: Basic YWRtaW46YWRtaW4='
+  /configs/authentication/inbound/oauth2:
+    get:
+      tags:
+        - Inbound Authentication Configurations
+      summary: Retrieve OAuth2 inbound authentication configurations
+      description: |
+        Retrieve server OAuth2 inbound authentication configurations.
+
+        <b>Scope(Permission) required:</b> `internal_config_view`
+      operationId: getOAuth2InboundAuthConfig
+      responses:
+        '200':
+          description: Successful response
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/InboundAuthOAuth2Config'
+        '400':
+          description: Bad request
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden
+        '404':
+          description: Not Found
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
+        '500':
+          description: Server Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
+      x-codeSamples:
+        - lang: Curl
+          source: |
+            curl -X 'GET' \
+            'https://localhost:9443/api/server/v1/configs/authentication/inbound/oauth2' \
+            -H 'accept: application/json' \
+            -H 'Authorization: Basic YWRtaW46YWRtaW4='
+    patch:
+      tags:
+        - Inbound Authentication Configurations
+      summary: Update OAuth2 inbound authentication configurations
+      description: |
+        Patch server OAuth2 inbound authentication configurations.
+
+        <b>Scope(Permission) required:</b> `internal_config_update`
+      operationId: updateOAuth2InboundAuthConfig
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/InboundAuthOAuth2Config'
+      responses:
+        '200':
+          description: Successful response
+        '400':
+          description: Bad request
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden
+        '404':
+          description: Not Found
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
+        '500':
+          description: Server Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
+      x-codeSamples:
+        - lang: Curl
+          source: |
+            curl -X 'PATCH' \
+            'https://localhost:9443/api/server/v1/configs/authentication/inbound/oauth2' \
+            -H 'accept: */*' \
+            -H 'Authorization: Basic YWRtaW46YWRtaW4=' \
+            -H 'Content-Type: application/json' \
+            -d '{
+            "enableJwtScopeAsArray": true
+            }'
+    delete:
+      tags:
+        - Inbound Authentication Configurations
+      summary: Delete OAuth2 inbound authentication configurations.
+      description: |
+        Delete all OAuth2 inbound authentication configurations.<br><br>
+        <b>Scope (Permission) required:</b> internal_config_update
+      operationId: deleteOAuth2InboundAuthConfig
+      responses:
+        '204':
+          description: Successful deletion
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden
+        '500':
+          description: Server Error
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Error'
+      x-codeSamples:
+        - lang: Curl
+          source: |
+            curl -X 'DELETE' \
+            'https://localhost:9443/api/server/v1/configs/authentication/inbound/oauth2' \
+            -H 'accept: application/json' \
+            -H 'Authorization: Basic YWRtaW46YWRtaW4='
 servers:
   - url: 'https://{serverUrl}/t/{tenantDomain}/api/server/v1'
     variables:
@@ -1691,4 +1815,11 @@ components:
           type: string
           description: "Passive STS URL"
           readOnly: true
-          example: "https://localhost:9443/passivests"
+          example: "https://localhost:9443/passivests"
+    InboundAuthOAuth2Config:
+      type: object
+      properties:
+        enableJwtScopeAsArray:
+          type: boolean
+          description: "Enable formatting scope claim in JWT access tokens as a JSON array instead of a space-separated string."
+          example: false
diff --git a/en/includes/guides/fragments/manage-app/oidc-settings/access-token.md b/en/includes/guides/fragments/manage-app/oidc-settings/access-token.md
@@ -25,7 +25,32 @@
     "expires_in": 3600
     }
     ```
-    <br>
+
+    !!! note
+        By default, the `scope` claim in JWT access tokens uses a space-separated string format (e.g., `"scope": "openid profile email"`). This format complies with the **JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens ([RFC 9068](https://www.rfc-editor.org/rfc/rfc9068.html))**.
+
+        You can change this to a JSON array format (e.g., `"scope": ["openid", "profile", "email"]`), but this is **not recommended** as it deviates from the standard specification.
+
+        If you still require this configuration, it can be applied at two levels:
+
+        - **Application level**: Set the `enableJwtScopeAsArray` property in the application's `accessToken` configuration via the [Application Management API]({{base_path}}/apis/{% if product_name == "Asgardeo" %}application-management{% else %}application-rest-api{% endif %}/). This overrides the tenant-level setting for the specific application.
+        {% if product_name == "WSO2 Identity Server" %}
+        - **Tenant level**: Use the [Server Configuration API]({{base_path}}/apis/configs-rest-api/#tag/Inbound-Authentication-Configurations/operation/updateOAuth2InboundAuthConfig) to set the `enableJwtScopeAsArray` property. This applies to all applications in the tenant unless overridden at the application level.
+        {% endif %}
+        {% if product_name == "Asgardeo" %}
+        - **Organization level**: Set the `enableJwtScopeAsArray` property via the following API. This applies to all applications in the organization unless overridden at the application level.
+
+            Get an access token with the `internal_config_update` scope and use it to execute the following cURL:
+
+            ``` curl
+            curl --location --request PATCH 'https://api.asgardeo.io/t/<organization_name>/api/server/v1/configs/authentication/inbound/oauth2' \
+            --header 'Content-Type: application/json' \
+            --header 'Authorization: Bearer <access_token>' \
+            --data '{
+                "enableJwtScopeAsArray": true
+            }'
+            ```
+        {% endif %}
 
 {% if product_name == "Asgardeo" or (product_name == "WSO2 Identity Server" and is_version != "7.0.0") %}
 #### Access Token Attributes
