This repository has been archived by the owner on Jul 31, 2024. It is now read-only.
Authorization request scope parameter optional #3102
Comments
|
Put a middleware in front of IdentityServer to add it. |
|
@brockallen we already thought about this solution and this does work, but I don't think this is a nice solution. The middleware adds the 'scope' parameter to the querystring. Shouldn't the implementation be like it's done on the token exchange endpoint? Take the allowedscopes from the client if configured as the default. |
|
Well, our main focus is OIDC, which makes scope mandatory: :https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I got an issue implementing the 'authorization code grant'-flow using IdentityServer4. The oauth spec marks the scope-parameter optional for the 'Authorization Request' as described here https://tools.ietf.org/html/rfc6749#section-4.1.1. Unfortunately IdentityServer4 doesn't support an optional scope-parameter for the authorization request. It will generate an error response 'Invalid scope'. I'm not able to add the scope parameter to the request because I'm not in control of the client which connects to my oauth server.
Are there any plans adding this feature to IdentityServer? Maybe I could create a pull request myself.
For reference: I found an older issue where the scope parameter is already marked optional for the token request. Default client scopes #161
The text was updated successfully, but these errors were encountered: