Another small thing people have been asking for.
The scope parameter is optional in OAuth 2 – but we made the decision that clients always have to explicitly ask for the scopes they want to access.
We relaxed this requirement a bit in IdentityServer4. At the token endpoint, scope is now optional (IOW for client credentials, resource owner and extension grants requests). If no scope is specified – the client will automatically get a token that contains all explicitly allowed scopes (that’s a per client setting).
This makes it easier, especially for server to server type communication to provision new APIs without having to change the token requests in the clients.
Endpoint documentation here – Client settings here.
leastprivilege.com 
Hi Dominick,
Nice addition!
As an aside, I’ve been taking at look at your IntrospectionClient and noticed that the last two parameters of its constructor are “clientId” and “clientSecret”. However, given that secrets are on the scope for this client, I’m wondering if the parameter names should be “scope” and “scopeSecret” instead?
HI Dominick,
Right now i am using IdentityServer4 and implementing in .NetCore 2.1 and first time i am working on this, I configured the server as per documentation and i had tested client authentication and authorization also. it works fine.
But somehow, means its really weird to said that after few days it stops working, means i can login to the server, i have successfully create users, and clients also but when i hit Client URL it gives me error like below…
Sorry there was an error: Invalid Scope.
and redirect to home/error page.
but few days before i have tested same scenario and that time works fine.
Here are the details
1) Using ASPNET IDENTITY.
2) USING CONFIGURATIONDBCONTEXT and PERSISTANTDBCONTEXT.
so i all values are coming from database.
this is client authetication code in STARTUP.CS
services.AddAuthentication(options =>
{
options.DefaultScheme = “Cookies”;
options.DefaultChallengeScheme = “oidc”;
}).AddCookie(“Cookies”,
(options) =>
{
options.AccessDeniedPath = “/Authorization/AccessDenied”;
})
.AddOpenIdConnect(“oidc”, options =>
{
options.SignInScheme = “Cookies”;
options.Authority = “https://localhost:44388”;
options.ClientId = “OnCallClient”;
options.ResponseType = “code id_token”;
options.Scope.Add(“openid”);
options.Scope.Add(“profile”);
options.Scope.Add(“address”);
options.Scope.Add(“roles”);
options.SaveTokens = true;
options.ClientSecret = “secret”;
options.GetClaimsFromUserInfoEndpoint = true;
options.ClaimActions.Remove(“amr”);
options.ClaimActions.DeleteClaim(“sid”);
options.ClaimActions.DeleteClaim(“idp”);
options.ClaimActions.Add(new JsonKeyClaimAction(“role”, “role”, “role”));
});
and i registered above client like this
var clients = new Client
{
ClientName = Model.ClientName,
ClientUri = Model.ClientUri,
ClientId = Model.ClientId,
AllowedGrantTypes = IdentityServer4.Models.GrantTypes.Hybrid,
//AccessTokenLifetime= 60,
RedirectUris = new List()
{
Model.ClientUri.EnsureEndsWith(‘/’)+”signin-oidc”
},
PostLogoutRedirectUris = new List()
{
Model.ClientUri.EnsureEndsWith(‘/’)+”signout-callback-oidc”
},
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Address,
“roles”
},
ClientSecrets =
{
new Secret(“secret”.Sha256())
}
};
I have spend lots of time in resolving this issue, you are my last hope.
Please Help me to solve this issue.
This is not a good place for reporting issues. If you think this is a bug, please open an issue on github.
Could you please update the links:
https://identityserver4.readthedocs.io/en/latest/endpoints/token.html
https://identityserver4.readthedocs.io/en/latest/reference/client.html
Thanks
done. thanks!