Closed AlexKubiesa closed 1 year ago
This organization is not maintained anymore besides critical security bugfixes (if feasible). This organization will be archived when .NET Core 3.1 end of support is reached (3rd Dec 2022). All new development is happening in the new Duende Software organization.
The new Duende IdentityServer comes with a commercial license but is free for dev/testing/personal projects and companies or individuals making less than 1M USD gross annnual revenue. Please get in touch with us if you have any question.
The behaviour of the
scope
parameter is different between the different types of flow:scope
parameter is missing or empty, I get an "invalid scope" error.scope
parameter is missing or empty, the access token contains all allowed scopes.I have tried to make the token request fail when no scopes are requested reduce the list of returned scopes to only the ones requested by injecting a custom scope parser, a custom resource validator, and a custom token request validator, but on entry to the relevant methods, it looks like all the scopes have been requested even though they haven't.
When the
scope
parameter is missing or empty, I think the request should fail - or at least it shouldn't contain theoffline_access
scope because that causes refresh tokens to be unnecessarily put in the persisted grant store and not deleted.Relevant parts of the log file
Here is part of the console log when I go through the Resource Owner Password flow with a missing
scope
parameter.