Open MikeAlhayek opened 1 year ago
@MichaelPetrinolis is something I missed here in my setup? Note that I am not using any scopes here. Could it be that both sites are on localhost and using tenant prefix?
Try to request email scope in the client, and also create two scopes, email and profile in the server. Finally, give access to those scopes to the client. client configuration server configuration
@MichaelPetrinolis okay, that worked. By why do I have to explicitly specify scopes? I don't want to use scopes. I was able to use postman to authenticate to the server without scopes and hoping to be able to use OpenId client in OC to authenticate in the servers as well.
If I remember correctly, the OpenID Connect protocol works with standard scopes. Obviously the server configures the openid scope by default (it is the only mandatory scope), but it does not configure the profile scope. The client explicitly requests the openid and profile scopes. We also request the email scope in order to match with existing accounts.
@MichaelPetrinolis hummm, I am a bit confused. How come it works from Postman without explicitly specifying a scope? Do you recall what actually happens when we request email
and profile
scopes? are these predefined keys in OC which expose specific content?
I guess the issue is OpenId client requests openid and profile scope to /authorize but you don't have profile scope created and assigned to client application.
Create a profile scope in server management -> scopes and then in application select profile scope
I don't know if there is a way to remove profile
scope from OpenId Client
(e.g. in your case from blog1).
Hence I feel that profile
is mandatory scope and should be assigned by default to all applications ( ie. in your case server blog5) within OpenId Server
- without needing to create one from Scope UI
Describe the bug
I am trying to create 2 tenant where one plays the OpenId server role. The other plays the client role. I created
blog5
tenanthttps://localhost:44313/blog5/
and enabledOpenID Authorization Server
andOpenID Token Validation
. Under Security >> OpenID Connect >> Management >> Application I added a new application namedBlog1
, I specifiedclientId
,clientSecret
andAuthorization code flow
. In the Redirect Uris I specifiedhttps://localhost:44313/blog1/signin-oidc
.Now, I went to
blog1
tenant and enabledOpenID Client
feature. While still onblog1
site I navigated to Security >> OpenId Connect >> Settings >> Authentication client. I put inBlog5
as the display Name. In the Authority I puthttps://localhost:44313/blog5
. I supplied the clientId (that I added when I added the application in blog5), checked "Use 'code' response type", provided the secret.When I try to login
blog1
using the Blog 5 authentication client, I getinvalid_request This client application is not allowed to use the specified scope.
Screenshots
Here is the login screen from Blog1
when I click on
Blog 5
to login I get the following error