New in IdentityServer4: Default Scopes

Another small thing people have been asking for.

The scope parameter is optional in OAuth 2 – but we made the decision that clients always have to explicitly ask for the scopes they want to access.

We relaxed this requirement a bit in IdentityServer4. At the token endpoint, scope is now optional (IOW for client credentials, resource owner and extension grants requests). If no scope is specified – the client will automatically get a token that contains all explicitly allowed scopes (that’s a per client setting).

This makes it easier, especially for server to server type communication to provision new APIs without having to change the token requests in the clients.

Endpoint documentation here – Client settings here.

 

This entry was posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, WebAPI. Bookmark the permalink.

3 Responses to New in IdentityServer4: Default Scopes

  1. Xam says:

    Hi Dominick,

    Nice addition!

    As an aside, I’ve been taking at look at your IntrospectionClient and noticed that the last two parameters of its constructor are “clientId” and “clientSecret”. However, given that secrets are on the scope for this client, I’m wondering if the parameter names should be “scope” and “scopeSecret” instead?

  2. Suraj says:

    HI Dominick,
    Right now i am using IdentityServer4 and implementing in .NetCore 2.1 and first time i am working on this, I configured the server as per documentation and i had tested client authentication and authorization also. it works fine.

    But somehow, means its really weird to said that after few days it stops working, means i can login to the server, i have successfully create users, and clients also but when i hit Client URL it gives me error like below…

    Sorry there was an error: Invalid Scope.

    and redirect to home/error page.

    but few days before i have tested same scenario and that time works fine.

    Here are the details
    1) Using ASPNET IDENTITY.
    2) USING CONFIGURATIONDBCONTEXT and PERSISTANTDBCONTEXT.

    so i all values are coming from database.

    this is client authetication code in STARTUP.CS

    services.AddAuthentication(options =>
    {
    options.DefaultScheme = “Cookies”;
    options.DefaultChallengeScheme = “oidc”;
    }).AddCookie(“Cookies”,
    (options) =>
    {
    options.AccessDeniedPath = “/Authorization/AccessDenied”;
    })
    .AddOpenIdConnect(“oidc”, options =>
    {
    options.SignInScheme = “Cookies”;
    options.Authority = “https://localhost:44388”;
    options.ClientId = “OnCallClient”;
    options.ResponseType = “code id_token”;
    options.Scope.Add(“openid”);
    options.Scope.Add(“profile”);
    options.Scope.Add(“address”);
    options.Scope.Add(“roles”);
    options.SaveTokens = true;
    options.ClientSecret = “secret”;
    options.GetClaimsFromUserInfoEndpoint = true;
    options.ClaimActions.Remove(“amr”);
    options.ClaimActions.DeleteClaim(“sid”);
    options.ClaimActions.DeleteClaim(“idp”);
    options.ClaimActions.Add(new JsonKeyClaimAction(“role”, “role”, “role”));

    });

    and i registered above client like this

    var clients = new Client
    {
    ClientName = Model.ClientName,
    ClientUri = Model.ClientUri,
    ClientId = Model.ClientId,
    AllowedGrantTypes = IdentityServer4.Models.GrantTypes.Hybrid,
    //AccessTokenLifetime= 60,
    RedirectUris = new List()
    {
    Model.ClientUri.EnsureEndsWith(‘/’)+”signin-oidc”
    },
    PostLogoutRedirectUris = new List()
    {
    Model.ClientUri.EnsureEndsWith(‘/’)+”signout-callback-oidc”
    },
    AllowedScopes =
    {
    IdentityServerConstants.StandardScopes.OpenId,
    IdentityServerConstants.StandardScopes.Profile,
    IdentityServerConstants.StandardScopes.Address,
    “roles”
    },
    ClientSecrets =
    {
    new Secret(“secret”.Sha256())
    }
    };

    I have spend lots of time in resolving this issue, you are my last hope.

    Please Help me to solve this issue.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s