OpenIddict Client not passing default scopes to authentication request

Question

When adding a client registration in OpenIddict (via OpenIddictClientRegistration), the registration class has a Scopes property with the description:

Gets the list of scopes sent by default as part of authorization requests.

I am attempting to use this for any scopes I want to be on the token by default:

options.AddRegistration(new OpenIddictClientRegistration
{
    // ...
    Scopes =
    {
        "scope1",
        //...
        "scopeN",
    },
    // ...
});

However when the OpenIddictClientService goes on to call AuthenticateWithClientCredentialsAsync it does not seem to set these scopes on the ProcessAuthenticationContext it creates, so will only ever use the list of scopes passed directly to the AuthenticateWithClientCredentialsAsync method.

The registration itself is passed into the context, but this does not seem to have any bearing on the scopes used.

Am I misunderstanding how the Scopes property on the OpenIddictClientRegistration should work or is there something else I need to set in order for these scopes to be passed by default with any request?

Answer 1

You can get the default client registration and then get the scopes like:

var clients = await service.GetClientRegistrationsAsync();

var result = await service.AuthenticateWithClientCredentialsAsync(new()
{
    Scopes = clients.FirstOrDefault()?.Scopes.ToList(),
});

If you have multiple client registrations you can get the client registration by id using GetClientRegistrationByIdAsync() like:

var client = await service.GetClientRegistrationByIdAsync(identifier: "<client_id>");

Answer 2

It's the expected behavior: this property is only used for interactive grants involving users like the code flow or the device authorization flow. For non-interactive grants like the client credentials grant, you must set ClientCredentialsAuthenticationRequest explicitly:

var result = await _service.AuthenticateWithClientCredentialsAsync(new()
{
    Scopes = ["my_scope"]
});