Reputation: 7029
The specified 'scope' is invalid. while refreshing token
I'm migrating from id4 to openiddict. So far everything is working well. Authorizing and getting a token via the authorization_code grant works fine.
Except for when I want to refresh a token.
I'm getting an 'invalid_grant' error with the description 'The specified 'scope' is invalid. while refreshing token.'
The refresh token request payload looks like this:
grant_type: refresh_token
scope: openid roles offline_access
refresh_token: *[redacted]
client_id: js
server config:
.AddServer(options =>
{
options.DisableAccessTokenEncryption();
options.SetAuthorizationEndpointUris("/authorize")
.SetTokenEndpointUris("/token")
.SetLogoutEndpointUris("/logout")
.SetUserinfoEndpointUris("/userinfo");
options.AllowAuthorizationCodeFlow()
.AllowRefreshTokenFlow();
options.RegisterScopes(Scopes.Profile,
Scopes.Roles,
Scopes.OfflineAccess,
Scopes.OpenId,
Scopes.Email,
"api1");
options.RegisterClaims(Claims.Role,
Claims.Profile,
Claims.Name,
Claims.Subject,
"user_type");
options.AddEncryptionKey(new SymmetricSecurityKey(
Convert.FromBase64String("DRjd/GnduI3Efzen9V9BvbNUfc/VKgXltV7Kbk9sMkY=")));
// Register the signing credentials.
options.AddDevelopmentSigningCertificate();
options.UseAspNetCore()
.EnableAuthorizationEndpointPassthrough()
.EnableLogoutEndpointPassthrough()
.EnableTokenEndpointPassthrough()
.EnableUserinfoEndpointPassthrough();
options.SetAccessTokenLifetime(TimeSpan.FromSeconds(50));
})
.AddValidation(options =>
{
options.UseLocalServer();
options.UseAspNetCore();
});
Application client
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = "js",
ConsentType = ConsentTypes.External,
DisplayName = "angular client PKCE",
DisplayNames =
{
[CultureInfo.GetCultureInfo("th-TH")] = "Application client"
},
PostLogoutRedirectUris =
{
new Uri("https://localhost.domain.com")
},
RedirectUris =
{
new Uri("https://localhost.domain.com/callback")
},
Permissions =
{
Permissions.Endpoints.Authorization,
Permissions.Endpoints.Logout,
Permissions.Endpoints.Token,
Permissions.Endpoints.Revocation,
Permissions.GrantTypes.AuthorizationCode,
Permissions.GrantTypes.RefreshToken,
Permissions.ResponseTypes.Code,
Permissions.Scopes.Profile,
Permissions.Scopes.Roles,
Permissions.Prefixes.Scope + "api1"
},
Requirements =
{
Requirements.Features.ProofKeyForCodeExchange
}
});
relevant openid config:
"scopes_supported": [
"openid",
"offline_access",
"profile",
"roles",
"email",
"api1"
],
I did disable accesstoken encryption because the angular client reads the sub to get the userId. Could this be the problem? I'm not seeing any scope missing.
Upvotes: 0
Views: 1268
Answers (1)
Reputation: 7029
Found the problem and must have been tired. When setting scopes in identity I forgot the roles scope.
identity.SetScopes(new[] { "api1", "profile", "openid", "offline_access" });
fixed it by just setting:
identity.SetScopes(request.GetScopes());
so the error was pretty spot on, would've been nice to have the offending scope though.
Upvotes: 0
Related Questions
- Batch file working differently if ran in administrator mode
- Issue concerning path input in .bat menu
- Batch script not working as expected
- PATH Variable is not updating in Batch file
- Windows Paths only disfunctional in batch context
- Works properly, but not when running as administrator
- Batch script issue with the current directory
- Issue With Path Expansion Batch Script
- Strange behavior of batch file
- Batch file unexpected behavior