JWT authorization does not recognise scope claim named scp

*Description*:

The JWT authorization as described at [JWT Claim-Based Authorization](https://gateway.envoyproxy.io/docs/tasks/security/jwt-claim-authorization/) shows how the authorization can be specified using `scope` claims. The example token has a claim named `scope`. However some identity providers such as Microsoft Entra Id, and Okta, and possibly others, shorten this claim name to `scp`. Envoy gateway does not seem to recognise `scp` as the scopes claim and authorization fails.

*Repro steps*:

Register an application in Entra ID as per [OAuth 2.0 authorization with Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/architecture/auth-oauth2).

configure the JWT provider in the `SecurityPolicy`

```yaml
  jwt:
    providers:
    - name: entra
      audiences:
      - api://<client-id>
      issuer: https://sts.windows.net/<tenant-id>/
      remoteJWKS:
        uri: https://login.microsoftonline.com/<tenant-id>/discovery/v2.0/keys
```

Define the authorization principal using `scopes`.

Get an access token using azure cli (`az account get-access-token`) for example, and make a request to the protected endpoint. you get an `RBAC: access denied` response, even it the token is valid.

*Environment*:

Version: v1.6.2
Go Version: go1.25.3
Platform: linux/amd64

*Logs*:




Provide feedback

Saved searches

Use saved searches to filter your results more quickly

JWT authorization does not recognise scope claim named scp #8027

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

JWT authorization does not recognise scope claim named scp #8027

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions