Skip to content
This repository has been archived by the owner on Jun 20, 2024. It is now read-only.

Angular SPA Template with Individual Auth doesn't work when the project name contains spaces #675

Open
JeremyEastham opened this issue May 11, 2022 · 2 comments
Open

Angular SPA Template with Individual Auth doesn't work when the project name contains spaces #675

JeremyEastham opened this issue May 11, 2022 · 2 comments

Comments

@JeremyEastham
Copy link

Steps to Reproduce

  1. Run dotnet new angular --auth Individual --name "Test Project" --output "Test Project"
  2. Open Test Project.csproj in an IDE
  3. Run Test Project (only tested without IIS Express, but it probably doesn't matter)
  4. Wait for the SPA Proxy to launch
  5. Open the SPA and click Login
  6. Observe the log output:
Log Output (Click to Open) 
fail: Duende.IdentityServer.Validation.DefaultResourceValidator[0]
      Scope Test not found in store or not supported by requested resource indicators.
fail: Duende.IdentityServer.Validation.DefaultResourceValidator[0]
      Scope ProjectAPI not found in store or not supported by requested resource indicators.
fail: Duende.IdentityServer.Endpoints.AuthorizeEndpoint[0]
      Request validation failed

info: Duende.IdentityServer.Endpoints.AuthorizeEndpoint[0]
      {
        "ClientId": "Test_Project",
        "ClientName": "Test_Project",
        "RedirectUri": "https://localhost:44412/authentication/login-callback",
        "AllowedRedirectUris": [
          "/authentication/login-callback"
        ],
        "SubjectId": "anonymous",
        "ResponseType": "code",
        "ResponseMode": "query",
        "GrantType": "authorization_code",
        "RequestedScopes": "Test ProjectAPI openid profile",
        "State": "22f72ee3ab9e4dbaa4becc14bd833e72",
        "PromptMode": "",
        "Raw": {
          "client_id": "Test_Project",
          "redirect_uri": "https://localhost:44412/authentication/login-callback",
          "response_type": "code",
          "scope": "Test ProjectAPI openid profile",
          "state": "22f72ee3ab9e4dbaa4becc14bd833e72",
          "code_challenge": "9RQMYcTCLp65H3CMIlMXeaVB19HABGBSa5FCWMkDdZc",
          "code_challenge_method": "S256",
          "prompt": "none",
          "response_mode": "query"
        }
      }

info: Duende.IdentityServer.Events.DefaultEventService[0]
      {
        "ClientId": "Test_Project",
        "ClientName": "Test_Project",
        "RedirectUri": "https://localhost:44412/authentication/login-callback",
        "Endpoint": "Authorize",
        "Scopes": "Test ProjectAPI openid profile",
        "GrantType": "authorization_code",
        "Error": "invalid_scope",
        "ErrorDescription": "Invalid scope",
        "Category": "Token",
        "Name": "Token Issued Failure",
        "EventType": "Failure",
        "Id": 2001,
        "ActivityId": "0HMHJ632ULJH2:00000002",
        "TimeStamp": "2022-05-11T09:31:40Z",
        "ProcessId": 8348,
        "LocalIpAddress": "127.0.0.1:7140",
        "RemoteIpAddress": "127.0.0.1"
      }

When the Angular client tries to log in with OpenID Connect, it requests the scopes of Test ProjectAPI openid profile. This should probably be Test_ProjectAPI openid profile. I'm not sure if the scopes are being set correctly in the backend by the Identity Server. This breaks the login/registration flow as well as the Fetch Data tab. I haven't tested this with the React or Vue templates, but it is possible that this issue might not only occur in the Angular template.

Specifications

OS: Windows 11 21H2
IDE: JetBrains Rider 2022.1.1
.NET: v6.0.202

Note:
I'm not sure whether this is an issue with the Angular SPA template, the Identity Server, or ASP.NET Core. If this issue would be better suited to another repository, please let me know.
@JeremyEastham
Copy link
Author

I can verify that if I visit /.well-known/openid-configuration that the scopes_supported array includes a Test ProjectAPI scope.

{
    "scopes_supported": [
        "openid",
        "profile",
        "Test ProjectAPI",
        "offline_access"
    ]
}

I'm not sure if OpenID Connect scopes can contain spaces. If scopes can be quoted in the request, they likely can, but I'm not sure how the specification reads. If scopes can contain spaces, the error is in the client (the scope needs to be quoted). If scopes cannot contain spaces, the error is in the server (the scope needs an underscore instead of a space).

@JeremyEastham
Copy link
Author

According to OAuth 2.0 RFC6749 Section 3.3:

The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings. The strings are defined by the authorization server. If the value contains multiple space-delimited strings, their order does not matter, and each string adds an additional access range to the requested scope.

scope       = scope-token *( SP scope-token )
scope-token = 1*( %x21 / %x23-5B / %x5D-7E )

It explicitly defines that scopes cannot contain spaces (%x20 = ) and that scopes cannot be quoted (%x22 = ").

Therefore, the error is in the server-side implementation. It should not allow a scope that contains a space. It should either throw an error, or replace the space with an underscore. If the space is allowed in the scope, the server will not be fully OAuth 2.0/OpenID Connect 1.0 compliant.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JeremyEastham