Closed pawepaw closed 7 years ago
Please fix. It would be quite useful to be able to require multiple scopes.
There is nothing to fix as it is by design.
If you want to require multiple scopes - write a simple middleware (or an authorization attribute) that checks for the existence of your required scopes.
We renamed the property in IdentityServer4.AccessTokenValidation.
Thanks for clarifying.
I see that can supply multiple scopes in RequiredScopes however, I only need one scope & scopesecret (defined by clientId & clientSecret) to secure the webApi. So if the introspect end point is making sure that the caller has the scope (defined by clientId & clientSecret), what is the accesstokenvalidation middleware doing with the RequiredScopes attribute? How does it use RequiredScopes?
Hello,
We found it a bit missleading that if you add multiple required scope middleware actually requires only one of required scope and authorizes if it exist. Maybe you should rename it to AllowedScopes or add some summary comment to explain it(I can create pr for ti)?