Identityserver4: Client Credentials - invalid_scope exception
Question
I am trying to host identityserver4 with asp.net core 3.1. When i try to request a token from postman for client credentials, I always get invalid_scope, not sure what is missing.
I am using identityserver4 - v3.1.2
Minimal working example
var builder = services.AddIdentityServer()
.AddInMemoryIdentityResources(Config.Ids)
.AddInMemoryApiResources(Config.Apis)
.AddInMemoryClients(Config.Clients)
new Client
{
ClientId = "client",
ClientName = "Client Credentials Client",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = { new Secret("511536EF-F270-4058-80CA-1C89C192F69A".Sha256()) },
AllowedScopes = { "api1" }
}
Relevant parts of the log file
[21:53:57 Debug] IdentityServer4.Hosting.EndpointRouter
Request path /connect/token matched to endpoint type Token
[21:53:57 Debug] IdentityServer4.Hosting.EndpointRouter
Endpoint enabled: Token, successfully created handler: IdentityServer4.Endpoints.TokenEndpoint
[21:53:57 Information] IdentityServer4.Hosting.IdentityServerMiddleware
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token
[21:53:57 Debug] IdentityServer4.Endpoints.TokenEndpoint
Start token request.
[21:53:57 Debug] IdentityServer4.Validation.ClientSecretValidator
Start client validation
[21:53:57 Debug] IdentityServer4.Validation.BasicAuthenticationSecretParser
Start parsing Basic Authentication secret
[21:53:57 Debug] IdentityServer4.Validation.PostBodySecretParser
Start parsing for secret in post body
[21:53:57 Debug] IdentityServer4.Validation.SecretParser
Parser found secret: PostBodySecretParser
[21:53:57 Debug] IdentityServer4.Validation.SecretParser
Secret id found: client
[21:53:57 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client client succeeded.
[21:53:57 Debug] IdentityServer4.Validation.SecretValidator
Secret validator success: HashedSharedSecretValidator
[21:53:57 Debug] IdentityServer4.Validation.ClientSecretValidator
Client validation success
[21:53:57 Debug] IdentityServer4.Validation.TokenRequestValidator
Start token request validation
[21:53:57 Debug] IdentityServer4.Validation.TokenRequestValidator
Start client credentials token request validation
[21:53:57 Error] IdentityServer4.Validation.ScopeValidator
Requested scope not allowed: api1
[21:53:57 Error] IdentityServer4.Validation.TokenRequestValidator
{"ClientId": "client", "ClientName": "Client Credentials Client", "GrantType": "client_credentials", "Scopes": null, "AuthorizationCode": null, "RefreshToken": null, "UserName": null, "AuthenticationContextReferenceClasses": null, "Tenant": null, "IdP": null, "Raw": {"grant_type": "client_credentials", "scope": "api1", "client_id": "client", "client_secret": "***REDACTED***"}, "$type": "TokenRequestValidationLog"}
[21:54:11 Debug] IdentityServer4.Hosting.EndpointRouter
Request path /connect/token matched to endpoint type Token
[21:54:11 Debug] IdentityServer4.Hosting.EndpointRouter
Endpoint enabled: Token, successfully created handler: IdentityServer4.Endpoints.TokenEndpoint
[21:54:11 Information] IdentityServer4.Hosting.IdentityServerMiddleware
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token
[21:54:11 Debug] IdentityServer4.Endpoints.TokenEndpoint
Start token request.
[21:54:11 Debug] IdentityServer4.Validation.ClientSecretValidator
Start client validation
[21:54:11 Debug] IdentityServer4.Validation.BasicAuthenticationSecretParser
Start parsing Basic Authentication secret
[21:54:11 Debug] IdentityServer4.Validation.PostBodySecretParser
Start parsing for secret in post body
[21:54:11 Debug] IdentityServer4.Validation.SecretParser
Parser found secret: PostBodySecretParser
[21:54:11 Debug] IdentityServer4.Validation.SecretParser
Secret id found: client
[21:54:11 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client client succeeded.
[21:54:11 Debug] IdentityServer4.Validation.SecretValidator
Secret validator success: HashedSharedSecretValidator
[21:54:11 Debug] IdentityServer4.Validation.ClientSecretValidator
Client validation success
[21:54:11 Debug] IdentityServer4.Validation.TokenRequestValidator
Start token request validation
[21:54:11 Debug] IdentityServer4.Validation.TokenRequestValidator
Start client credentials token request validation
[21:54:11 Error] IdentityServer4.Validation.ScopeValidator
Requested scope not allowed: api1
[21:54:11 Error] IdentityServer4.Validation.TokenRequestValidator
{"ClientId": "client", "ClientName": "Client Credentials Client", "GrantType": "client_credentials", "Scopes": null, "AuthorizationCode": null, "RefreshToken": null, "UserName": null, "AuthenticationContextReferenceClasses": null, "Tenant": null, "IdP": null, "Raw": {"grant_type": "client_credentials", "scope": "", "client_id": "client", "client_secret": "***REDACTED***"}, "$type": "TokenRequestValidationLog"}
snithyanantham
All 6 comments
After analysing the logs, I found that scope value always comes as empty and that is because of casing issue.
In my ApiResource definition, Resource name's first letter is in caps(Api1) that is the reason comparison is failing during apiscopes name match.
{"ClientId": "client", "ClientName": "Client Credentials Client", "GrantType": "client_credentials", "Scopes": null, "AuthorizationCode": null, "RefreshToken": null, "UserName": null, "AuthenticationContextReferenceClasses": null, "Tenant": null, "IdP": null, "Raw": {"grant_type": "client_credentials", "scope": "", "client_id": "client", "client_secret": "*REDACTED"}, "$type": "TokenRequestValidationLog"}
Should we consider this as bug or It is expected behaviour.
snithyanantham
on 12 Jun 2020
Thats expected.
leastprivilege
on 12 Jun 2020
I'm having a similar issue.
invalid_scope after upgrading to 4.0.0 and this is the log where you can see how the scope is there.. at first, but not in the Raw values.
Invalid scopes requested, {"ClientId": "client", "ClientName": null, "GrantType": "client_credentials", "Scopes": null, "AuthorizationCode": null, "RefreshToken": null, "UserName": null, "AuthenticationContextReferenceClasses": null, "Tenant": null, "IdP": null, "Raw": {"grant_type": "client_credentials", "scope": "api1", "client_id": "client", "client_secret": "***REDACTED***"}, "$type": "TokenRequestValidationLog"}
I've just asked about it at Stackoverflow and I'm still investigating what may be different.
https://stackoverflow.com/questions/62543026/identity-server-invalid-scope-in-example-from-the-documentation
diegosasw
on 23 Jun 2020
Found another issue that pointed me in the right direction. Fixed it by replacing ApiResources with ApiScopes:
public static IEnumerable<ApiScope> Apis =>
new List<ApiScope>
{
new ApiScope("api1", "My Api")
};
and
var builder =
services
.AddIdentityServer()
.AddInMemoryApiScopes(Config.Apis)
//.AddInMemoryApiResources(Config.Apis) //OLD?
.AddInMemoryClients(Config.Clients)
.AddInMemoryIdentityResources(Config.Ids);
I supposed the docs are not yet updated.
diegosasw
on 23 Jun 2020
I had the same problem and ended up here on this issue. The docs are up to date and it's possible to see a migration step here. After migrate to the new version 4.x you need to split up Scopes and Resources. Maybe this can help someone else.
thiagozulato
on 29 Aug 2020
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![github-actions[bot] picture](https://avatars2.githubusercontent.com/in/15368?v=4&s=40)
github-actions[bot]
on 26 Nov 2020
Related issues
leastprivilege
路
3Comments
garymacpherson
路
3Comments
leksim
路
3Comments
createroftheearth
路
3Comments
chrisrestall
路
3Comments
Most helpful comment
Found another issue that pointed me in the right direction. Fixed it by replacing ApiResources with ApiScopes:
and
I supposed the docs are not yet updated.