search

OrchardCMS / OrchardCore

Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.
https://orchardcore.net
BSD 3-Clause "New" or "Revised" License
7.23k stars 2.34k forks source link

invalid_request This client application is not allowed to use the specified scope. #13578

Open MikeAlhayek opened 1 year ago

MikeAlhayek commented 1 year ago

Describe the bug

I am trying to create 2 tenant where one plays the OpenId server role. The other plays the client role. I created blog5 tenant https://localhost:44313/blog5/ and enabled OpenID Authorization Server and OpenID Token Validation. Under Security >> OpenID Connect >> Management >> Application I added a new application named Blog1, I specified clientId, clientSecret and Authorization code flow. In the Redirect Uris I specified https://localhost:44313/blog1/signin-oidc.

Now, I went to blog1 tenant and enabled OpenID Client feature. While still on blog1 site I navigated to Security >> OpenId Connect >> Settings >> Authentication client. I put in Blog5 as the display Name. In the Authority I put https://localhost:44313/blog5. I supplied the clientId (that I added when I added the application in blog5), checked "Use 'code' response type", provided the secret.

When I try to login blog1 using the Blog 5 authentication client, I get invalid_request This client application is not allowed to use the specified scope.

image

Screenshots

Here is the login screen from Blog1 image

when I click on Blog 5 to login I get the following error image

MikeAlhayek commented 1 year ago

@MichaelPetrinolis is something I missed here in my setup? Note that I am not using any scopes here. Could it be that both sites are on localhost and using tenant prefix?

MichaelPetrinolis commented 1 year ago

Try to request email scope in the client, and also create two scopes, email and profile in the server. Finally, give access to those scopes to the client. client configuration image server configuration image

MikeAlhayek commented 1 year ago

@MichaelPetrinolis okay, that worked. By why do I have to explicitly specify scopes? I don't want to use scopes. I was able to use postman to authenticate to the server without scopes and hoping to be able to use OpenId client in OC to authenticate in the servers as well.

MichaelPetrinolis commented 1 year ago

If I remember correctly, the OpenID Connect protocol works with standard scopes. Obviously the server configures the openid scope by default (it is the only mandatory scope), but it does not configure the profile scope. The client explicitly requests the openid and profile scopes. We also request the email scope in order to match with existing accounts.

MikeAlhayek commented 1 year ago

@MichaelPetrinolis hummm, I am a bit confused. How come it works from Postman without explicitly specifying a scope? Do you recall what actually happens when we request email and profile scopes? are these predefined keys in OC which expose specific content?

ns8482e commented 1 year ago

I guess the issue is OpenId client requests openid and profile scope to /authorize but you don't have profile scope created and assigned to client application.

Create a profile scope in server management -> scopes and then in application select profile scope

ns8482e commented 1 year ago

I don't know if there is a way to remove profile scope from OpenId Client (e.g. in your case from blog1). Hence I feel that profile is mandatory scope and should be assigned by default to all applications ( ie. in your case server blog5) within OpenId Server - without needing to create one from Scope UI