emonney
When I Configured IdentityServer4 to use EntityFramework Core with SQL Server as the storage mechanism then runtime issue at login "unable to login invalid_scope"
public class IdentityServerDbInitializer : DatabaseInitializer { private readonly PersistedGrantDbContext _persistedGrantContext; private readonly ConfigurationDbContext _configurationContext; private readonly ILogger _logger; public IdentityServerDbInitializer(ApplicationDbContext context, PersistedGrantDbContext persistedGrantContext,ConfigurationDbContext configurationContext, IAccountManager accountManager, ILogger<IdentityServerDbInitializer> logger) : base(context, accountManager, logger) { _persistedGrantContext = persistedGrantContext; _configurationContext = configurationContext; _logger = logger; } override public async Task SeedAsync() { await base.SeedAsync().ConfigureAwait(false); await _persistedGrantContext.Database.MigrateAsync().ConfigureAwait(false); await _configurationContext.Database.MigrateAsync().ConfigureAwait(false); if (!await _configurationContext.Clients.AnyAsync()) { _logger.LogInformation("Seeding IdentityServer Clients"); foreach (var client in IdentityServerConfig.GetClients()) { _configurationContext.Clients.Add(client.ToEntity()); } _configurationContext.SaveChanges(); } if (!await _configurationContext.IdentityResources.AnyAsync()) { _logger.LogInformation("Seeding IdentityServer Identity Resources"); foreach (var resource in IdentityServerConfig.GetIdentityResources()) { _configurationContext.IdentityResources.Add(resource.ToEntity()); } _configurationContext.SaveChanges(); } if (!await _configurationContext.ApiResources.AnyAsync()) { _logger.LogInformation("Seeding IdentityServer API Resources"); foreach (var resource in IdentityServerConfig.GetApiResources()) { _configurationContext.ApiResources.Add(resource.ToEntity()); } _configurationContext.SaveChanges(); } } }
public class IdentityServerConfig { public const string ApiName = "quickapp_api"; public const string ApiFriendlyName = "QuickApp API"; public const string QuickAppClientID = "quickapp_spa"; public const string SwaggerClientID = "swaggerui";
// Identity resources (used by UserInfo endpoint).
public static IEnumerable<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResources.Phone(),
new IdentityResources.Email(),
new IdentityResource(ScopeConstants.Roles, new List<string> { JwtClaimTypes.Role })
};
}
// Api scopes.
public static IEnumerable<ApiScope> GetApiScopes()
{
return new List<ApiScope>
{
new ApiScope(ApiName, ApiFriendlyName) {
UserClaims = {
JwtClaimTypes.Name,
JwtClaimTypes.Email,
JwtClaimTypes.PhoneNumber,
JwtClaimTypes.Role,
ClaimConstants.Permission
}
}
};
}
// Api resources (Needed for audience to be set on token).
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource(ApiName) {
Scopes = { ApiName }
}
};
}
// Clients want to access resources.
public static IEnumerable<Client> GetClients()
{
// Clients credentials.
return new List<Client>
{
// http://docs.identityserver.io/en/release/reference/client.html.
new Client
{
ClientId = QuickAppClientID,
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword, // Resource Owner Password Credential grant.
AllowAccessTokensViaBrowser = true,
RequireClientSecret = false, // This client does not need a secret to request tokens from the token endpoint.
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId, // For UserInfo endpoint.
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Phone,
IdentityServerConstants.StandardScopes.Email,
ScopeConstants.Roles,
ApiName
},
AllowOfflineAccess = true, // For refresh token.
RefreshTokenExpiration = TokenExpiration.Sliding,
RefreshTokenUsage = TokenUsage.OneTimeOnly,
//AccessTokenLifetime = 900, // Lifetime of access token in seconds.
//AbsoluteRefreshTokenLifetime = 7200,
//SlidingRefreshTokenLifetime = 900,
},
new Client
{
ClientId = SwaggerClientID,
ClientName = "Swagger UI",
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowAccessTokensViaBrowser = true,
RequireClientSecret = false,
AllowedScopes = {
ApiName
}
}
};
}
}
No any data seeded in apiScope table
@Injectable() export class OidcHelperService {
private get baseUrl() { return this.configurations.baseUrl; }
private clientId = 'quickapp_spa';
private scope = 'openid email phone profile offline_access roles quickapp_api';
constructor(
private http: HttpClient,
private oauthService: OAuthService,
private configurations: ConfigurationService,
private localStorage: LocalStoreManager,private authQuery:AuthQuery) {
}
........................ Check your OidcHelperService service in your ClientApp if it has the above settings
