CODEWITHSUNDEEP
asp.net-mvcoauthoauth-2.0openid-connectidentityserver3
Jon
Jon

Reputation: 3203

Identity Server 3 - invalid_scope

I'm implementing AuthorizationCode flow in Identity Server 3.

When I log in I get an invalid_scope exception.

Here's my client:

new Client
{
    Enabled = true,
    ClientName = "Web Application",
    ClientId = "webapplication",
    Flow = Flows.AuthorizationCode,

    ClientSecrets = new List<Secret>
    {
        new Secret("webappsecret".Sha256())
    },

    RedirectUris = new List<string>
    {
        UrlManager.WebApplication
    },
    PostLogoutRedirectUris = new List<string>
    {
        UrlManager.WebApplication
    },

    AllowedScopes = new List<string>
    {
        Constants.StandardScopes.OpenId,
        Constants.StandardScopes.Profile,
        Constants.StandardScopes.Email,
        Constants.StandardScopes.Roles,
        Constants.StandardScopes.OfflineAccess
    }
}

Here's my startup:

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    Authority = UrlManager.AuthenticationService + "identity",

    ClientId = "webapplication",
    Scope = "openid profile offline_access",
    ResponseType = "code",
    RedirectUri = UrlManager.WebApplication,

    SignInAsAuthenticationType = "Cookies",

    Notifications =
            new OpenIdConnectAuthenticationNotifications
            {
                AuthorizationCodeReceived = async n =>
                {
                    // use the code to get the access and refresh token
                    var tokenClient = new TokenClient(
                        UrlManager.TokenEndpoint,
                        "webapplication",
                        "webappsecret");

                    var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(
                        n.Code, n.RedirectUri);

                    if (tokenResponse.IsError)
                    {
                        throw new Exception(tokenResponse.Error);
                    }

                    // use the access token to retrieve claims from userinfo
                    var userInfoClient = new UserInfoClient(
                    new Uri(UrlManager.UserInfoEndpoint),
                    tokenResponse.AccessToken);

                    var userInfoResponse = await userInfoClient.GetAsync();

                    // create new identity
                    var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
                    id.AddClaims(userInfoResponse.GetClaimsIdentity().Claims);

                    id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
                    id.AddClaim(new Claim("expires_at", DateTime.Now.AddSeconds(tokenResponse.ExpiresIn).ToLocalTime().ToString()));
                    id.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
                    id.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
                    id.AddClaim(new Claim("sid", n.AuthenticationTicket.Identity.FindFirst("sid").Value));

                    n.AuthenticationTicket = new AuthenticationTicket(
                        new ClaimsIdentity(id.Claims, n.AuthenticationTicket.Identity.AuthenticationType, "name", "role"),
                        n.AuthenticationTicket.Properties);
                }
            }
});

Here's my openid config:

{
   "issuer":"https://localhost:44329/identity",
   "jwks_uri":"https://localhost:44329/identity/.well-known/jwks",
   "authorization_endpoint":"https://localhost:44329/identity/connect/authorize",
   "token_endpoint":"https://localhost:44329/identity/connect/token",
   "userinfo_endpoint":"https://localhost:44329/identity/connect/userinfo",
   "end_session_endpoint":"https://localhost:44329/identity/connect/endsession",
   "check_session_iframe":"https://localhost:44329/identity/connect/checksession",
   "revocation_endpoint":"https://localhost:44329/identity/connect/revocation",
   "introspection_endpoint":"https://localhost:44329/identity/connect/introspect",
   "frontchannel_logout_supported":true,
   "frontchannel_logout_session_supported":true,
   "scopes_supported":[
      "openid",
      "profile",
      "email",
      "phone",
      "address",
      "alpha",
      "beta"
   ],
   "claims_supported":[
      "sub",
      "name",
      "family_name",
      "given_name",
      "middle_name",
      "nickname",
      "preferred_username",
      "profile",
      "picture",
      "website",
      "gender",
      "birthdate",
      "zoneinfo",
      "locale",
      "updated_at",
      "email",
      "email_verified",
      "phone_number",
      "phone_number_verified",
      "address"
   ],
   "response_types_supported":[
      "code",
      "token",
      "id_token",
      "id_token token",
      "code id_token",
      "code token",
      "code id_token token"
   ],
   "response_modes_supported":[
      "form_post",
      "query",
      "fragment"
   ],
   "grant_types_supported":[
      "authorization_code",
      "client_credentials",
      "password",
      "refresh_token",
      "implicit"
   ],
   "subject_types_supported":[
      "public"
   ],
   "id_token_signing_alg_values_supported":[
      "RS256"
   ],
   "code_challenge_methods_supported":[
      "plain",
      "S256"
   ],
   "token_endpoint_auth_methods_supported":[
      "client_secret_post",
      "client_secret_basic"
   ]
}

The supported scopes do not contain offline_access. I can see from my logs that offline_access is the scope that is causing the problem.

Why is this? How do I configure my server to allow support of the offline_access scope?

Upvotes: 1

Views: 5695

Answers (1)

Jon
Jon

Reputation: 3203

Adding standard scopes to the scopes config solved this for me.

public static IEnumerable<Scope> Get()
{
    var scopes = new List<Scope>
    {
        StandardScopes.OfflineAccess

        // your scopes listed here
    }
}

Upvotes: 9

Related Questions