1

Following roughly Scott's guide, I got it to work with authorization code flow. However, When I investigate the well-known, I see that junky_scope is listed as supported. My client and API scope/resource are declared as follows. The claims in the access token are to be based on the API scopes according to IDS4's GitHub.

public static IEnumerable<ApiScope> Obtain()
{
  yield return new ApiScope("junky_scope", "Junky Scope"); ...
}

yield return new ApiResource
{
  Name = "blopp", ...
  Scopes = new List<string> { "awesome_scope", "junky_scope", ... }
};

yield return new Client
{
  ClientId = "spa_client",
  AllowOfflineAccess = true,
  AllowedGrantTypes = GrantTypes.Code, ...
  AllowedScopes = new List<string> { "openid", "awesome_scope", "junky_scope" }
};

Invoking the call to exchange my code for token, produces a valid access token but only containing openid and offline_access scopes, though. The same when requesting a new one using the refresh token. The payload passed in the body is shown below. I've tried with no scope specified to get all of the supported tokens (as promised in the docs) with no success.

client_id=spa_client
&scope=junky_scope
&redirect_uri=http://localhost:44304/beep
&code=205D...EDBF
&grant_type=authorization_code

The setup is very similar to the one in this question as well as this one, although they regard different matters. The scopes declared are shown as included in the response, though.

I thought at first it may have to do with the definition of my test users but there's nothing about claims there and the closest I can see is claims. But I don't rely on claims in my scope, so that's a dead-end.

I'm lost and not sure how to troubleshoot it further. Googling variations of ids4 access token scope no included produced very little.

Konrad Viltersten
  • 36,151
  • 76
  • 250
  • 438

1 Answers1

0

Not a big fan of answering my own questions but on occasion, it's called for.

Apparently, there's a bug in IDS4 (or, at least a highly unclear spot in the documentation). It states as follows.

scope
One or more registered scopes. If not specified, a token for all explicitly allowed scopes will be issued.

That is incorrect, hence my confusion leading to the question.

Now, if I'm to defend IDS4 docs, it is said also that the parameter is required for the authorization (not the exchange nor renewal) request.

scope
One or more registered scopes (required).

Now, besides it being a clear discrepancy and listed on different pages, if we interpret explicitly allowed scopes as those that are referenced during the authorization and not in the server's clients, API scopes/resources, then yes, the docs are not wrong. But that's a deep dive in spagat from where I stand, to make that plausible as obvious.

Konrad Viltersten
  • 36,151
  • 76
  • 250
  • 438