Scopes are not added to (client credentials) access token
See original GitHub issueOpeniddict.AspNetCore (3.0.0-beta6.20527.75)
How to reproduce issue
- Add client application to openiddict server and add a few custom scopes.
- Fetch the (client credentials) access token, by calling /connect/token
curl --location --request POST 'https://localhost:5000/connect/token' \
--header 'Authorization: Basic myclientid:myclientsecret' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=myapp' \
--data-urlencode 'scope=account account.read account.write'
- Call a web api using the access token, and debug the claims, look for scopes (scopes are missing, no scopes are added to the access token by default?)
Issue Analytics
- State:
- Created 3 years ago
- Comments:10 (5 by maintainers)
Top Results From Across the Web
Scope missing in access token claims in Azure B2C OAuth ...
As your exposed API scope is Delegated, it won't work with client-credentials grant type. In addition to that, you are using wrong token...
Read more >Client credentials request ignores scope parameter?
With the client-credentials grant, Auth0 returns all the scopes granted to the application, regardless of the scope parameter. The rationale ...
Read more >Microsoft Azure AD JWT Token is missing Scope information
When acquiring token under application context, we can only use /.default in the scope parameter. You can NOT specify api://<app id>/API.READER ...
Read more >Scope/Permission not included in JWT
In the M2M scenario (client credentials grant), you would define the scopes that should go into the access token here:.
Read more >Scopes and permissions in the Microsoft identity platform
Issuing a client credentials request by using individual application permissions (roles) is not supported. All the app roles (application ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
That’s the expected behavior (and pretty much the reason why OpenIddict uses its own private scopes claims: we don’t have to split a unique scope value each time we want to work with them)
Thank you for the answer. I won’t pretend I understood all of it, but I now know what I have to do with more confidence.