Skip to main content

Migrating from MITREid

This page contains tips and tricks to move your current MITREid instance to Ory OAuth2 & OpenID.

Scopes

Scopes in Ory doesn't have a relational entity, every client defines its own array of scopes.

Scope vs Scp

Since Ory uses scp as the scope claim, you have to be sure your client libraries are capable to use both.

If you are using the spring.security.oauth2 library, check out the example

Query string parameters

MITREid doesn't mind if the parameters are passed in the body or in the query string. In order to work with Hydra, you have to migrate all your calls that are using query string parameters to body parameters.

For example, you should move from

curl -X POST  http://127.0.0.1/mitreid-server/token?grant_type=client_credentials \
-H "Authorization: $AUTH"
# ...

to

curl -X POST  https://<project>.projects.oryapis.com/mitreid-server/token \
-H "Authorization: $AUTH" \
--data-urlencode 'grant_type=client_credentials'
# ...

Scope Strategies if no scope is requested

The last pitfall found during the migration was the difference of behavior when performing the client_credentials grant without specifying a scope. By default, Ory Hydra returns an empty scope, but MITREid grants the default scope for the OAuth 2.0 Client.

To change the behavior in Ory, use:

ory patch oauth2-config "{your-project-id}" \
--replace '/oauth2/client_credentials/default_grant_allowed_scope=true'

Once set, Ory will behave like MITREid and grant the OAuth2 Client's scope when an empty scope is requested for a client_credentials grant.