Revamping application permissions in OpenIddict RC3
See original GitHub issueIn RC2, we introduced application permissions. To make the migration from RC1 to RC2 smoother, application permissions were mostly optional and OpenIddict had a fallback mechanism called “implicit permissions” it used to determine whether an application could perform the requested action. For instance, if no permission was explicitly attached to the application, it was considered fully trusted and was granted all the permissions.
Similarly, if you granted the “token endpoint” permission to an application but NO “grant type” permission, it was assumed the client application was allowed to use the password or client credentials grants.
Retrospectively, this logic was too complex and I decided to remove it in RC3.
What will change in RC3?
Starting with RC3, permissions are no longer optional nor implicit: if you don’t explicitly grant an application the necessary permissions, it will be blocked by OpenIddict.
To attach permissions to an application, use OpenIddictApplicationManager
:
var descriptor = new OpenIddictApplicationDescriptor
{
ClientId = "mvc",
ClientSecret = "901564A5-E7FE-42CB-B10D-61EF6A8F3654",
DisplayName = "MVC client application",
PostLogoutRedirectUris = { new Uri("http://localhost:53507/signout-callback-oidc") },
RedirectUris = { new Uri("http://localhost:53507/signin-oidc") },
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Logout,
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
OpenIddictConstants.Permissions.Scopes.Email,
OpenIddictConstants.Permissions.Scopes.Profile,
OpenIddictConstants.Permissions.Scopes.Roles
}
};
await _applicationManager.CreateAsync(descriptor);
What if I don’t want to use permissions?
If you don’t care about permissions (e.g because you don’t have third-party clients), you can disable them:
services.AddOpenIddict()
// Register the OpenIddict server handler.
.AddServer(options =>
{
options.IgnoreEndpointPermissions();
options.IgnoreGrantTypePermissions();
options.IgnoreScopePermissions();
});
Issue Analytics
- State:
- Created 5 years ago
- Comments:5 (1 by maintainers)
Top GitHub Comments
I see why my migrations didn’t have the schema - my EF project is separate from the web project. I needed to add in my ef context (as pointed out by https://github.com/openiddict/openiddict-core/issues/401):
Indeed, deleting the database and having that call run again recreated all the proper schema. I probably did this in 2 steps and didn’t add OpenIddict until after. Probably related to this issue - https://github.com/openiddict/openiddict-core/issues/439
I’ll make sure to put proper migrations in, this isn’t related to RC3 then.