Consider removing AllowAccessToAllScopes

[leastprivilege]

No description provided.

[brockallen]

done on config branch

[brockallen]

done

[liamdawson]

Is there an alternative to be used?

[leastprivilege]

Specify the scopes explicitly.

[ChristopherHaws]

I'm a bit confused by this. In the talk you gave at NDC (https://youtu.be/l7MgGY3lnts?t=30m59s) you mentioned that scope is no longer required and that this is why the scope field on RequestClientCredentialsAsync is not a required field (hence the null default value which is still the case). This is also mentioned in your blog (https://leastprivilege.com/2016/09/14/new-in-identityserver4-default-scopes/).

Is there a particular reason that this feature was removed? Perhaps a security risk of some sort? If this is the case, should the RequestClientCredentialsAsync method be changed to not allow a default null value?

Thanks!
Chris

[brockallen]

scope is not required as a parameter, but you still need to indicate which scopes the client is allowed access to via the AllowedScopes.

[ChristopherHaws]

@brockallen After looking through the code trying to figure out why I've been getting an invalid_scope error, I found that the reason was because I was using AllowedGrantTypes = GrantTypes.ClientCredentials and I had AllowOfflineAccess = true.

I then looked up the RFC and found this section which states that a refresh token should not be included:
https://tools.ietf.org/html/rfc6749#section-4.4.3

Just wanted to post this here for anyone else running into this issue. Perhaps in the future additional error messages could be included in the server logs to indicate that the client is configured in an invalid state.

Thanks!

[brockallen]

What was the error in the IdSvr logs for this misconfigured scenario?

[ChristopherHaws]

@brockallen After having read parts of the RFC, I guess the error isn't that bad, although it would be nice if the error happened earlier (at the time the client is configured) rather than during the actual client request... I just wasn't understand the error until I did some digging into the RFC to understand what some of these terms meant. I think that the part that was tripping me up was that I needed to understand that AllowOfflineAccess means allow the client to request a refresh token, which in turn doesn't make sense for the client credentials grant type. I am still fairly new to doing auth beyond using simple middleware for google/twitter/etc, so there are a lot of new terms that I am still trying to digest. :)

The error from the log:

IdentityServer4.Validation.TokenRequestValidator:Error: test-client cannot request a refresh token in client credentials flow
IdentityServer4.Validation.TokenRequestValidator:Error: {
  "ClientId": "test-client",
  "ClientName": "Test Client",
  "GrantType": "client_credentials",
  "Scopes": "test-scope",
  "Raw": {
    "grant_type": "client_credentials"
  }
}

[brockallen]

IdentityServer4.Validation.TokenRequestValidator:Error: test-client cannot request a refresh token in client credentials flow

Yea, I am not sure how much more clear that can be. IdentityServer is not meant to absolve one from understanding the protocols :)

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.