IdentityServer / IdentityServer4

OpenID Connect and OAuth 2.0 Framework for ASP.NET Core
https://identityserver.io
Apache License 2.0
9.23k stars 4.02k forks source link

Is the scope claim a string or an array of strings? #5396

Closed vanillajonathan closed 2 years ago

vanillajonathan commented 3 years ago

The RFC 7662 OAuth 2.0 Token Introspection has "scope" as a string. https://datatracker.ietf.org/doc/html/rfc7662#section-2.2

The IdentityServer4 documentation has scope as a string. https://identityserver4.readthedocs.io/en/latest/topics/resources.html#authorization-based-on-scopes

{
   "typ": "at+jwt"
}.
{
   "client_id": "mobile_app",
   "sub": "123",

   "scope": "read write delete"
}

But from IdentityServer4 I get an access token with the scope as a list of strings.

{
  "nbf": 1638269462,
  "exp": 1638273062,
  "iss": "https://localhost:5001",
  "aud": "api",
  "client_id": "example",
  "sub": "123",
  "auth_time": 1638269460,
  "idp": "local",
  "scope": [ "openid", "profile", "email", "offline_access" ],
  "amr": [ "pwd" ]
}

Is this a bug?

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.

github-actions[bot] commented 2 years ago

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.