Open hosamyousof opened 2 days ago
@raman-m can you please help resolve this?
OpenIddict -> https://github.com/openiddict/openiddict-core
We do not use this Auth provider and have not tested it, so we cannot assist with its integration. Our core services are thoroughly tested with the IdentityServer4 provider only. It is possible that our core auth services do not support the models of your Auth provider.
no one user scope: 'InfraAPIs AdminAPIs' match with some allowed scope: 'InfraAPIs'
This error is generated by this line of code:
https://github.com/ThreeMammals/Ocelot/blob/ce0227c059f220761acc2d880e554174bdb3c544/src/Ocelot/Authorization/ScopesAuthorizer.cs#L38
This implies that the matchesScopes
collection is empty following the intersection. It would be beneficial to debug the following line accordingly:
https://github.com/ThreeMammals/Ocelot/blob/ce0227c059f220761acc2d880e554174bdb3c544/src/Ocelot/Authorization/ScopesAuthorizer.cs#L24
It appears that the _claimsParser
service is parsing the data from the OpenIddict token incorrectly. Could you debug it?
@hosamyousof Hosam, why have you been silent?
Thanks @raman-m, I will try to debug it and get back to you.
Expected Behavior
The quote from the documentation: Authentication | Allowed Scopes
Actual Behavior
Validating one scope is not working and return 403 Forbidden. The user access token has permission to two scopes
'InfraAPIs AdminAPIs'
and I want to validate theInfraAPIs
scope only in the rule in ocelot.json like:Error log message from ocelot:
OpenIddict validation handler configuration in program.cs:
If I set all the scopes it's working but I want only to set one scope for the rule in ocelot.json.
Steps to Reproduce the Problem
Use the provided configuration and make call to endpoint.
Specifications