Login script not attaching the roles to user during openid connect

OrchardCMS / OrchardCore

Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.

https://orchardcore.net

BSD 3-Clause "New" or "Revised" License

7.42k stars 2.4k forks source link

Login script not attaching the roles to user during openid connect #13752

Open vitalybrandes opened 1 year ago

vitalybrandes commented 1 year ago

Describe the bug

I am trying to setup OpenId user authentication, registration, login with two Orchard Core apps

one used as OpenID Server app second used as OpenID Client app ().

The registration part is or, all scopes worked perfect. On login script, the roles / role scope not exist and following that the created user have no roles.

vitalybrandes commented 1 year ago

Issue #8840 similar and never closed

MichaelPetrinolis commented 1 year ago

@vitalybrandes add a roles scope on server

{
      "name": "OpenIdScope",
      "Description": "Roles Scope",
      "DisplayName": "Roles",
      "ScopeName": "roles",
      "Resources": null
 }

and create an application that allows profile,email and roles scopes.

Then use openid client to connect to server using this app. Request the mentioned scopes. In client script, when you iterate you should receive the role claims

vitalybrandes commented 1 year ago

@vitalybrandes add a roles scope on server
{
      "name": "OpenIdScope",
      "Description": "Roles Scope",
      "DisplayName": "Roles",
      "ScopeName": "roles",
      "Resources": null
 }
and create an application that allows profile,email and roles scopes.

Then use openid client to connect to server using this app. Request the mentioned scopes. In client script, when you iterate you should receive the role claims

Are scopes names case sensetive?

MichaelPetrinolis commented 1 year ago

yes

vitalybrandes commented 1 year ago

yes

I will check it again, but until now I created the scopes in UI, (not sure about the case sensitive letter, need to check) then using client, I didn't got the "role" claim in login script.

vitalybrandes commented 1 year ago

yes
@vitalybrandes add a roles scope on server
{
      "name": "OpenIdScope",
      "Description": "Roles Scope",
      "DisplayName": "Roles",
      "ScopeName": "roles",
      "Resources": null
 }
and create an application that allows profile,email and roles scopes. Then use openid client to connect to server using this app. Request the mentioned scopes. In client script, when you iterate you should receive the role claims
Are scopes names case sensetive?

Hi @MichaelPetrinolis , It didn't works. I setup roles scope in server app as well in client. the email scope are ok, but the roles No!

vitalybrandes commented 1 year ago

@MichaelPetrinolis Do you have any idea?