Hi,
Not sure if this is an issue of the identity server 4 or this project. Please kindly guide me to the right one. Recently, I found the STS server will give me an access token with all supported scopes in the client if I don't' set any scope while fetching the token with the token endpoint. Could anyone shed me lights what happened?
curl --location --request POST 'http://{STSurl}/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=myClinet' \
--data-urlencode 'client_secret=mySecret' \
--data-urlencode 'grant_type=client_credentials'
curl --location --request POST 'http://{STSurl}/connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=myClinet' \
--data-urlencode 'client_secret=mySecret' \
--data-urlencode 'grant_type=client_credentials'
--data-urlencode 'scope='
Thanks,
Eason Kang
Hi @yiskang
let me check it. I will send update.
Thanks
This I believe is as per the OAuth standard.
If no scopes are specifically requested then all Allowed Scopes should be returned.
That's a normal behavior for IdentityServer. Be careful when asking for an access token this way, if your client has some unassigned scopes, (scopes that aren't linked to any Api resource or Identity resource / dummy scopes), your request will fail with "invalid_scope" error.
Most helpful comment
That's a normal behavior for IdentityServer. Be careful when asking for an access token this way, if your client has some unassigned scopes, (scopes that aren't linked to any Api resource or Identity resource / dummy scopes), your request will fail with "invalid_scope" error.