Comments (9)
Hi @dinhan92
Can you elaborate a bit more? Maybe with some links to code bits? And do you use the sample client I provide? This one probably is not perfect. I know of some areas that require switching to another route and return so the client can load its state again. Especially in the Application section.
Thomas
from openiddict-ui.
I mean, in the Client, I add this some_scope: scope: 'openid roles email server_scope api_scope some_scope', and In Database, I also add this some_scope to database, but when I Login, the request.GetScopes() does not return this some_scope !!!
from openiddict-ui.
I use your sample client, the:
this.oauthService.configure({
clientId: 'spa_client',
issuer: isDevMode()
? devModeIssuer
: window.location.origin + '/',
redirectUri: redirUri,
responseType: 'code',
scope: 'openid roles email server_scope api_scope some_scope',
requireHttps: false
});
from openiddict-ui.
from openiddict-ui.
from openiddict-ui.
Hi @dinhan92
Ok I think I got what confuses you.
From what I understand is that you think you can receive the scopes you configured via the OAuth2 SPA Client (the sample Angular based UI I provide within the samples) within the request.GetScopes()
-extension method the OpenIddict (var request = HttpContext.GetOpenIddictServerRequest()
) provides. This is not how things work here when it comes to OAuth2 and the meaning of Scopes.
You need to distinguish between an OAuth Client (within the OpenIddict domain that's what we call an Application) and what Resources (usually API's) within the Single Sign On (SSO) realm of your desired system it is allowed to access. That's where you define a Scope on the Issuer (aka STS = Security Token Service) that basically defines the boundaries.
Then within your Client you specify the Scopes (in my example hardcoded: scope: 'openid roles email server_scope api_scope'). The client is especially built for that particular purpose. So from a security perspective you only want to have a particular client to have access to those few API's. For other potential API's that could exist within the system the client must not have access (least privilege principle). That means that Scopes give you the ability to define pretty complex communication and access scenarios.
Anytime when a Client wants to issue a token, based on some other required OAuth2 specific properties (like client_id, ..) and the scope the Issuer verifies the client (there could be potentially several clients with different scopes). If in the incoming request the Scope-values "match" (fully or a subset) the Permission-Scopes for the Application then usually the STS accepts the Client and issues a token (=> dependent on the grant type too!).
Hope that was not too confusing but trust me I also spend quite some time to learn the topic about OAuth2 and OpenId Connect and I am still learning ;-).
Thomas
from openiddict-ui.
When I use Ctrl Shift N, it run well though. Does it mean some thing was left in cache?
from openiddict-ui.
By Ctrl Shift N, I mean the anonymous window, sorry ^^
from openiddict-ui.
Hi there
Then probably it was a caching thing. It might help if you have a look at how to implement a Custom-Controller (like AuthorizationController) in one of the excellent samples in the OpenIddict-Samples repository. I basically as well use those samples as an inspiration source ;-).
Thomas
from openiddict-ui.
Related Issues (18)
- UI Views request HOT 1
- Excuse me, I want to ask about using docker with your project HOT 2
- Add possibility to use api without ADMIN role HOT 5
- User change own password HOT 3
- CRUD user profile HOT 4
- Allow generic types for IdentityUser key HOT 2
- IApplicationService.GetApplicationsAsync doesn't fill Permissions and RedirectUris HOT 3
- IApplicationService.UpdateAsync corrupts ClientSecret HOT 3
- Separate all related Identity api's and code in own projects
- Infinit loop. Data is not storing in session storage. it call the authorization again and again. HOT 1
- Remove dependency to Microsoft.AspNetCore.Mvc.Core HOT 2
- Integration test for the private resource API
- deploy to production HOT 1
- sql server HOT 3
- Register Link navigates to api/accounts/register
- No nuget after merge of Pull request #5 HOT 2
- Excuse me, I want to ask about database update HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openiddict-ui.