search

logto-io / logto

🧑‍🚀 The better identity infrastructure for developers and the open-source alternative to Auth0.
https://logto.io
Mozilla Public License 2.0
8.97k stars 448 forks source link

bug: Unable to handle openid connect authorize scope correctly #6742

Closed AllinProgram closed 1 month ago

AllinProgram commented 1 month ago

Describe the bug

I'm using the Discourse OIDC plugin, combined with Logto. Whenever I set the openid connect authorize scope, I can never pass in a scope other than "openid".

Log like:

(oidc) Authentication failure! invalid_scope: OmniAuth::Strategies::OAuth2::CallbackError, invalid_scope | requested scope is not allowed
"/auth/oidc/callback?error=invalid_scope&error_description=requested%20scope%20is%20not%20allowed&scope=email"

I have checked that the "Scope" reported in the error exists in "scopes_supported" (/oidc/.well-known/openid-configuration)

I confirmed that I had set it up correctly. At first, I suspected that it was my own problem and searched for a long time.

Until I suddenly remembered that it might be a problem with logto, and then I tried using three other IdPs, such as Auth0. They all work well with Discourse and can handle Scope correctly.

Expected behavior

Set Scope, then IdP return Scope data.

How to reproduce?

  1. Create a random OIDC third-party application
  2. Configure Discourse and Logto information for each other. Remember to add scopes other than "openid" in Discourse.
  3. OIDC login displays an error.

Context

simeng-li commented 1 month ago

Have you whitelisted the email scope in the third-party application you created?

AllinProgram commented 1 month ago

Oh my goodness, that's it!

I'm sorry I missed this config, and thank you for your patience, I think I should be able to handle these issues.

By the way, have you considered adding this hint to the configuration page? I think it would be easier for new users to use.