New in IdentityServer4: Default Scopes

Another small thing people have been asking for.

The scope parameter is optional in OAuth 2 – but we made the decision that clients always have to explicitly ask for the scopes they want to access.

We relaxed this requirement a bit in IdentityServer4. At the token endpoint, scope is now optional (IOW for client credentials, resource owner and extension grants requests). If no scope is specified – the client will automatically get a token that contains all explicitly allowed scopes (that’s a per client setting).

This makes it easier, especially for server to server type communication to provision new APIs without having to change the token requests in the clients.

Endpoint documentation here – Client settings here.


This entry was posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, WebAPI. Bookmark the permalink.

One Response to New in IdentityServer4: Default Scopes

  1. Xam says:

    Hi Dominick,

    Nice addition!

    As an aside, I’ve been taking at look at your IntrospectionClient and noticed that the last two parameters of its constructor are “clientId” and “clientSecret”. However, given that secrets are on the scope for this client, I’m wondering if the parameter names should be “scope” and “scopeSecret” instead?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s