Identityserver4.admin: STS.Identity will return an access token with all scopes if we don't assign any scope in the request payload while requesting a token
Hi,
Not sure if this is an issue of the identity server 4 or this project. Please kindly guide me to the right one. Recently, I found the STS server will give me an access token with all supported scopes in the client if I don't' set any scope while fetching the token with the token endpoint. Could anyone shed me lights what happened?
curl --location --request POST 'http://{STSurl}/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=myClinet' \
--data-urlencode 'client_secret=mySecret' \
--data-urlencode 'grant_type=client_credentials'
curl --location --request POST 'http://{STSurl}/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=myClinet' \
--data-urlencode 'client_secret=mySecret' \
--data-urlencode 'grant_type=client_credentials'
--data-urlencode 'scope='
Thanks,
Eason Kang
yiskang
All 3 comments
Hi @yiskang
let me check it. I will send update.
Thanks
skoruba
on 26 Feb 2020
This I believe is as per the OAuth standard.
If no scopes are specifically requested then all Allowed Scopes should be returned.
aarondglover
on 25 Jan 2021
That's a normal behavior for IdentityServer. Be careful when asking for an access token this way, if your client has some unassigned scopes, (scopes that aren't linked to any Api resource or Identity resource / dummy scopes), your request will fail with "invalid_scope" error.
mitirazvan
on 25 Jan 2021
Related issues
xmichaelx
路
3Comments
weedkiller
路
4Comments
gokayokutucu
路
3Comments
knepe
路
4Comments
yehia2amer
路
3Comments
Most helpful comment
That's a normal behavior for IdentityServer. Be careful when asking for an access token this way, if your client has some unassigned scopes, (scopes that aren't linked to any Api resource or Identity resource / dummy scopes), your request will fail with "invalid_scope" error.