CODEWITHSUNDEEP
identityserver4
SheppardDigital
SheppardDigital

Reputation: 3255

Identity Server 4 Checking for expected scope openid failed

I'm trying to set up an Identity Server for the first time in ASP.NET Core. I've set up everything to use a database and have created a script to create a test client, test user and resources. I can request a client token and request a user token, those work fine, but when calling the connect/userinfo endpoint, I'm getting a Forbidden response and the following error;

    IdentityServer4.Validation.TokenValidator[0]
          Checking for expected scope openid failed
          {
            "ValidateLifetime": true,
            "AccessTokenType": "Jwt",
            "ExpectedScope": "openid",
            "Claims": {
              "nbf": 1556641697,
              "exp": 1556645297,
              "iss": "https://localhost:5001",
              "aud": [
                "https://localhost:5001/resources",
                "customAPI"
              ],
              "client_id": "newClient",
              "sub": "75f86dd0-512e-4c9d-b298-1afa120c7d47",
              "auth_time": 1556641697,
              "idp": "local",
              "role": "admin",
              "scope": "customAPI.read",
              "amr": "pwd"
            }
          }

I'm not sure what is causing the issue. Here is the script I used to setup the test entities;

private static void InitializeDbTestData(IApplicationBuilder app)
        {
            using (var scope = app.ApplicationServices.GetService<IServiceScopeFactory>().CreateScope())
            {
                scope.ServiceProvider.GetRequiredService<PersistedGrantDbContext>().Database.Migrate();
                scope.ServiceProvider.GetRequiredService<ConfigurationDbContext>().Database.Migrate();
                scope.ServiceProvider.GetRequiredService<ApplicationDbContext>().Database.Migrate();

                var context = scope.ServiceProvider.GetRequiredService<ConfigurationDbContext>();

                // API Client
                Client client = new Client
                {
                    ClientId = "newClient",
                    ClientName = "Example Client Credentials Client Application",
                    AllowedGrantTypes = GrantTypes.ResourceOwnerPasswordAndClientCredentials,
                    ClientSecrets = new List<Secret>
                    {
                        new Secret("123456789".Sha256())
                    },
                    AllowedScopes = new List<string> {"customAPI.read"}
                };


                context.Clients.Add(client.ToEntity());
                context.SaveChanges();

                // Identity Resources
                IList<IdentityResource> identityResources = new List<IdentityResource>
                {
                    new IdentityResources.OpenId(),
                    new IdentityResources.Profile(),
                    new IdentityResources.Email(),
                    new IdentityResource
                    {
                        Name = "role",
                        UserClaims = new List<string> {"role"}
                    }
                };

                foreach (IdentityResource identityResource in identityResources)
                {
                    context.IdentityResources.Add(identityResource.ToEntity());
                }

                // API Resource
                ApiResource resource = new ApiResource
                {
                    Name = "customAPI",
                    DisplayName = "Custom API",
                    Description = "Custom API Access",
                    UserClaims = new List<string> {"role"},
                    ApiSecrets = new List<Secret> {new Secret("scopeSecret".Sha256())},
                    Scopes = new List<Scope>
                    {
                        new Scope("customAPI.read"),
                        new Scope("customAPI.write")
                    }
                };

                context.ApiResources.Add(resource.ToEntity());
                context.SaveChanges();


                var userManager = scope.ServiceProvider.GetRequiredService<UserManager<IdentityUser>>();

                // User
                IdentityUser user = new IdentityUser
                {
                    UserName = "JohnDoe",
                    Email = "[email protected]",
                };

                IList<Claim> claims = new List<Claim>
                {
                    new Claim(JwtClaimTypes.Email, user.Email),
                    new Claim(JwtClaimTypes.Role, "admin")
                };

                userManager.CreateAsync(user, "112222224344").Wait();
                userManager.AddClaimsAsync(user, claims).Wait();
            }
        }

I'm sure I've set up something wrong when I set up the client/user, can anyone pinpoint what it is?

Upvotes: 1

Views: 1777

Answers (1)

d_f
d_f

Reputation: 4859

Can't see your client side code, but the error says you did not requested openid scope when applied for the token. The token valid for Useinfo endpoint must contain openid scope.

Upvotes: 4

Related Questions