-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AllowedScopes
feature is not functioning as anticipated during authentication with the OpenIddict server
#2177
Comments
@raman-m can you please help resolve this? |
We do not use this Auth provider and have not tested it, so we cannot assist with its integration. Our core services are thoroughly tested with the IdentityServer4 provider only. It is possible that our core auth services do not support the models of your Auth provider.
This error is generated by this line of code:
This implies that the matchesScopes collection is empty following the intersection. It would be beneficial to debug the following line accordingly:
It appears that the _claimsParser service is parsing the data from the OpenIddict token incorrectly. Could you debug it?
|
@hosamyousof Hosam, why have you been silent? |
Thanks @raman-m, |
Hi @raman-m, Please refer to the following screenshots for more details. Could you confirm if it's appropriate to split the |
Proposed fixReplace this: var userScopes = new List<string>();
foreach (var item in values.Data)
{
userScopes.AddRange(item.Split(' '));
} |
Yes, it is! It is appropriate. For your authentication provider, you need to write a custom parser for the claim value that contains the roles as whitespace-separated values, which are provided by the authentication provider. Following this, the intersection should not be empty and will contain the exact role required. |
The code may function as intended, but it seems incomplete. A more robust solution would be to replace the |
First... We have
used in
Second... Also,
Seems this method is exactly what you need, 😃 right? So, you have multiple values claim type (with whitespace-separated roles), and you need to call it somehow with these params: _claimsParser.GetValue(claimsPrincipal.Claims, Scope, " ", 0) I think it should work. 😉 Lastly... The problem is that in
after successful authentication by scopes we must authorize by roles aka RouteClaimsRequirement here
In the given user scenario, the authentication stage fails due to the whitespace-separated value of the scope claim from the OpenIddict token. It appears that the IClaimsParser service, which functions correctly, should not be replaced. Instead, the IScopesAuthorizer service should be replaced, specifically by rewriting the Authorize method. Would you agree? However, replacing it with a customized IClaimsParser service could also be effective.
|
Hosam, did you search our repository for the same issue? It appears not, right? 😄 We have open PRs that address this OpenIddict issue:
I will prioritize your issue by linking it to PR #1431. Additionally, I encourage you to contribute to the completion of #1431, okay? |
AllowedScopes
feature is not functioning as anticipated during authentication with the OpenIddict server
Discussed inP.S. To locate all links related to the problem area, search for ScopesAuthorizer within the repository. |
Thanks Raman for your great support. Yes, I did search quickly, but I didn't find anything directly related to the AllowedScopes with OpenIddict server 😅. Sure, I can contribute to complete the PR. |
Yes, I agree. 😊 |
@raman-m do you have any comments to the following fix? Adding another overload of
Then modify the |
@raman-m should I create a PR? |
Did you noticed the linked PR #1431 ? Why not to reuse this PR? Would you like to complete and deliver it? The issue of owning the PR (pushing commits) can be resolved by forking it to my account and adding you as a collaborator. Alternatively, we could request the author to add you, but it appears that the author is no longer interested in the PR. Don't you like this idea? |
And what changes will be included? One extra method which will be called from authorization middleware during authentication step? |
I'm not sure if the PR #1431 will solve the issue because there are a lot of changes. |
As a Senior Software Engineer (Team Lead) at OXO E-Shops and Technical Lead at SARsatX 😄, you should recognize that the mentioned PR could be further developed to ultimately support token claims from OpenIddict during the authentication phase. However, it appears you have no intention of contributing. In response to your direct question:
As mentioned, the linked PR should resolve the issue. I will ensure to double-check and incorporate additional parser logic when finalizing this PR. |
I think there is a misunderstanding 😒. I'm willing to contribute, but I'm really very busy.
Thanks for the hint!. That's what I've already done as a temporary solution, I replaced the currently registered |
Could you show your code here plz? |
Sure! Here is the replacement of ScopesAuthorizer with the new custom OpenIddictScopesAuthorizer in the program.cs
Here is the OpenIddictScopesAuthorizer with the new implementation of
|
Expected Behavior
The quote from the documentation: Authentication | Allowed Scopes
Actual Behavior
Validating one scope is not working and return 403 Forbidden.
The user access token has permission to two scopes
'InfraAPIs AdminAPIs'
and I want to validate theInfraAPIs
scope only in the rule in ocelot.json like:Error log message from ocelot:
OpenIddict validation handler configuration in program.cs:
If I set all the scopes it's working but I want only to set one scope for the rule in ocelot.json.
Steps to Reproduce the Problem
Use the provided configuration and make call to endpoint.
Specifications
The text was updated successfully, but these errors were encountered: