Only one of required scope is really required

IdentityServer / IdentityServer3.AccessTokenValidation

OWIN Middleware to validate access tokens from IdentityServer3

Apache License 2.0

91 stars 149 forks source link

Only one of required scope is really required #112

Closed pawepaw closed 7 years ago

pawepaw commented 7 years ago

Hello,

We found it a bit missleading that if you add multiple required scope middleware actually requires only one of required scope and authorizes if it exist. Maybe you should rename it to AllowedScopes or add some summary comment to explain it(I can create pr for ti)?

tboyce commented 7 years ago

Please fix. It would be quite useful to be able to require multiple scopes.

leastprivilege commented 7 years ago

There is nothing to fix as it is by design.

If you want to require multiple scopes - write a simple middleware (or an authorization attribute) that checks for the existence of your required scopes.

We renamed the property in IdentityServer4.AccessTokenValidation.

tboyce commented 7 years ago

Thanks for clarifying.

olonga commented 7 years ago

I see that can supply multiple scopes in RequiredScopes however, I only need one scope & scopesecret (defined by clientId & clientSecret) to secure the webApi. So if the introspect end point is making sure that the caller has the scope (defined by clientId & clientSecret), what is the accesstokenvalidation middleware doing with the RequiredScopes attribute? How does it use RequiredScopes?