SimpleIdServer icon indicating copy to clipboard operation
SimpleIdServer copied to clipboard

Published 20 hours ago verified publisher icon simpleidserver

Problem with the scope that is returned in the response to get the token

Open paillave opened this issue 2 years ago • 6 comments

Here my authentication stack:

  • SimpleIdConnect using PKCE
  • https://github.com/authts/oidc-client-ts of @brockallen (that U certainly heard of 🤣)

When getting the access token using the api token, his client library expects to receive back a scope that is a string in the same format than the scope we usually submit to authentication servers (a sequence of scopes separated with a space). It appears that SimpleIdServer doesn't return a string in this format but an array of string representing the list of scopes.

By looking in your code, I see this is fully intentional: https://github.com/simpleidserver/SimpleIdServer/blob/f58f998b702f648b9c6f79aed1fcd015872a935e/src/OAuth/SimpleIdServer.OAuth/Api/Token/Handlers/BaseCredentialsHandler.cs#L40-L47

My question is:

Who, from the two of you must correct something in his development? 😄

FYI, here is the issue I raised at oidc.client.ts side: https://github.com/authts/oidc-client-ts/issues/542

paillave avatar May 24 '22 11:05 paillave

Indeed there is an issue in the SimpleIdServer implementation. According to the RFC8693 (it's a draft) section 4.2, the "scope" claim is a JSON string containing a space-separated list of scopes associated with the token (https://datatracker.ietf.org/doc/html/rfc8693#section-4.2)

We are going to make some modifications in the project :

  • By default the scope claim will be returned as a concatenation of string.
  • If the Option property "IsTokenScopeArray" is checked then scope will be returned as an array.

Kind regards,

SimpleIdServer.

simpleidserver avatar May 24 '22 12:05 simpleidserver

Indeed there is an issue in the SimpleIdServer implementation. According to the RFC8693 (it's a draft) section 4.2, the "scope" claim is a JSON string containing a space-separated list of scopes associated with the token (https://datatracker.ietf.org/doc/html/rfc8693#section-4.2)

We are going to make some modifications in the project :

  • By default the scope claim will be returned as a concatenation of string.
  • If the Option property "IsTokenScopeArray" is checked then scope will be returned as an array.

Kind regards,

SimpleIdServer.

Cool, glad that I could help 😃

paillave avatar May 24 '22 14:05 paillave

The issue is fixed in the branch "release/2.0.9". The token endpoint always return a concatenated list of string in the scope property (according to the RFC : https://datatracker.ietf.org/doc/html/rfc6749#section-3.3)

An option IsScopeClaimConcatenationEnabled has been added in OauthHostOptions. When this property is set to true then the access token contains a concatenated list of string in its scope claim, otherwise the scope is an array (https://datatracker.ietf.org/doc/html/rfc8693#section-4.2 : draft)

simpleidserver avatar May 24 '22 14:05 simpleidserver

Fantastic 😄 Any idea of the date of the first alpha/beta version on nuget?

paillave avatar May 24 '22 14:05 paillave

Probably tomorrow :)

simpleidserver avatar May 24 '22 15:05 simpleidserver

A pre-release package version "2.0.9-ci-00282" is available on the feed "https://www.myget.org/F/advance-ict/api/v3/index.json"

simpleidserver avatar May 24 '22 20:05 simpleidserver