How can I add more scopes? about openiddict-ui HOT 9 CLOSED

Hi @dinhan92

Can you elaborate a bit more? Maybe with some links to code bits? And do you use the sample client I provide? This one probably is not perfect. I know of some areas that require switching to another route and return so the client can load its state again. Especially in the Application section.

Thomas

from openiddict-ui.

I mean, in the Client, I add this some_scope: scope: 'openid roles email server_scope api_scope some_scope', and In Database, I also add this some_scope to database, but when I Login, the request.GetScopes() does not return this some_scope !!!

from openiddict-ui.

I use your sample client, the:
this.oauthService.configure({
clientId: 'spa_client',
issuer: isDevMode()
? devModeIssuer
: window.location.origin + '/',
redirectUri: redirUri,
responseType: 'code',
scope: 'openid roles email server_scope api_scope some_scope',
requireHttps: false
});

from openiddict-ui.

from openiddict-ui.

from openiddict-ui.

Hi @dinhan92

Ok I think I got what confuses you.

From what I understand is that you think you can receive the scopes you configured via the OAuth2 SPA Client (the sample Angular based UI I provide within the samples) within the request.GetScopes()-extension method the OpenIddict (var request = HttpContext.GetOpenIddictServerRequest()) provides. This is not how things work here when it comes to OAuth2 and the meaning of Scopes.

You need to distinguish between an OAuth Client (within the OpenIddict domain that's what we call an Application) and what Resources (usually API's) within the Single Sign On (SSO) realm of your desired system it is allowed to access. That's where you define a Scope on the Issuer (aka STS = Security Token Service) that basically defines the boundaries.

Then within your Client you specify the Scopes (in my example hardcoded: scope: 'openid roles email server_scope api_scope'). The client is especially built for that particular purpose. So from a security perspective you only want to have a particular client to have access to those few API's. For other potential API's that could exist within the system the client must not have access (least privilege principle). That means that Scopes give you the ability to define pretty complex communication and access scenarios.

Anytime when a Client wants to issue a token, based on some other required OAuth2 specific properties (like client_id, ..) and the scope the Issuer verifies the client (there could be potentially several clients with different scopes). If in the incoming request the Scope-values "match" (fully or a subset) the Permission-Scopes for the Application then usually the STS accepts the Client and issues a token (=> dependent on the grant type too!).

Hope that was not too confusing but trust me I also spend quite some time to learn the topic about OAuth2 and OpenId Connect and I am still learning ;-).

Thomas

from openiddict-ui.

When I use Ctrl Shift N, it run well though. Does it mean some thing was left in cache?

from openiddict-ui.

By Ctrl Shift N, I mean the anonymous window, sorry ^^

from openiddict-ui.

Hi there

Then probably it was a caching thing. It might help if you have a look at how to implement a Custom-Controller (like AuthorizationController) in one of the excellent samples in the OpenIddict-Samples repository. I basically as well use those samples as an inspiration source ;-).

Thomas

from openiddict-ui.